Loading ...
HowTo Disable a User Account in Linux
This short howto will show how to disable a user account under linux. This might be useful in the situation where you don’t want to permanently remove the user, but you just want it disabled and no longer able to use the system. The user will still receive emails for example, but he will not be able to login and check them out.
Modern linux systems use /etc/shadow to store the encrypted user passwords. The quickest way to disable a user is to alter is password stored in /etc/shadow. Normally an active user account will have one line in /etc/shadow that will look like:
user:$1$eFd7EIOg$EeCk6XgKktWSUgi2pGUpk.:13852:0:99999:7:::
where the second field is the encrypted password.
If we replace the password with “*” or “!” this will make the account unusable, and it will mean that no login is permitted for the user:
user:*:13852:0:99999:7:::
This method has the disadvantage that the user password will be lost (unless saved somewhere, etc.) in the case we will want to re-enable it again later. From this point of view a much better method is to use the passwd command to lock the account:
passwd <username> -l
and the output of the successful change will be “Password changed.”. This actually just changes the shadow file and adds “!” in front of the user password:
user:!$1$eFd7EIOg$EeCk6XgKktWSUgi2pGUpk.:13852:0:99999:7:::
Of course we could do this manually ourselves also if we want 
.
If you will ever need to re-enable the account just unlock it:
passwd <username> -u
or just remove manually the “!” character from the user’s password line in /etc/shadow.
Of course if you don’t need all this stuff and you just want to permanently remove the user just run:
userdel <username>
this will keep his old files (home directory, mails, etc.) or to delete all his files on the system:
userdel -r <username>
just be careful what is the home of the user before running this command as personally I have seen someone do this and erasing all the system… the user had set as home “/” .
5th December 2007, 14:36
Why not just set their login shell in /etc/passwd to /bin/false? That way, you don’t lose the password, but when they try to log in, they immediately get disconnected?
5th December 2007, 14:49
Glen: thanks for you comment. Regarding what you said that will not disable the user. It will just disable it to login to shell based applications like ssh for ex. and others that check the shell like some ftp daemons. Still, the user will be functional and able to receive emails or use other services that are not based on the shell. More, the user can even have no shell in the first place
.
Cheers,
- Marius -
19th December 2007, 03:50
Dear Sirs, I tried, but the email account is also locked. Is there anyway, I can disable the user login. Still, user is able to send/receive email. I remember something like nologin file to place some place. Thanks.
19th December 2007, 09:44
Thavee: depends from what kind of access you give your users and what you want to deny. From what I understand you just want to disable shell access and leave others like email functional. For this you just have to make sure that the user doesn’t have a valid shell in /etc/passwd. You can set it to /bin/false, or whatever, but be sure it is not a valid shell like /bin/bash, /bin/sh, etc.
- Marius -
10th January 2008, 06:54
I’d also note that changing password won’t disable things like logging into ssh via key-based authantication. Not sure about locking account, though.
10th January 2008, 20:55
HoverHell: you are right… changing the user password (and also locking) will still allow him to connect using ssh via key-based auth. If this is used, then the user’s authorized_keys must me moved to a different location.
Thanks for the note,
- Marius -
15th January 2009, 17:05
Shouldn’t it be:
usermod -L
/??
29th May 2009, 14:29
What’s the easiest way to set an “automagic” account expiration …?
For example, you need to create a user that only needs access for a short amount of time, but you want to automatically disable the account after maybe 30 Days in case you forget to manually do it …
I thought about using the “EXPIRE= ” that’s located in: /etc/default/useradd
But, I don’t want ALL accounts to be disabled after 30 Days …
I also thought about using the -E switch with chage & a specific date, but that’s not necessarily “automatic” …
Any guidance would be great …
Thanks in advance.
31st May 2009, 20:01
@Sam: As you said, I think that the easiest way to set automatic expiration is to have a default set in useradd or similar and overwrite it on the command line on particular accounts that don’t need that limitation.
18th August 2009, 15:07
Having not done this before, say I run userdel then decide afterwards I actually want to del their home too.
What should I run?
Thanks in advance
18th August 2009, 20:04
@Nick: if you are not sure, you should probably just lock the account. If you want to remove the account (with their data) that is not recoverable (unless you do that from backups) so you should be sure that you want that. hth.
20th August 2009, 11:10
Indeed it does!
I will definitely remove as the box in question has limited disk-space. I only actioned the tidy for neatness’ sake rather than something mission-crit.
I installed Pessulus into my Lenny and wanted to see if it showed up by default (which is does) so I created a test account. Not reading the above instructions properly I del the user but not their home! DOH!