Let’s say I create a user named “bogus” using the adduser command. How can I make sure this user will NOT be a viable login option, without disabling the account. In short, I want the account to be accessible via su - bogus, but I do not want it to be accessible via a regular login prompt.
Searching around, it seems I need to disable that user’s password, but doing passwd -d bogus didn’t help. In fact, it made things worse, because I could now login to bogus without even typing a password.
Is there a way to disable regular logins for a given a account?
Note: Just to be clear, I know how to remove a user from the menu options of graphical login screens such as gdm, but these methods simply hide the account without actually disabling login. I’m looking for a way to disable regular login completely, text-mode included.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
passwd -l user
is what you want.
That will lock the user account. But you’ll still be able to
su - user
but you’ll have to su - user as root.
Alternatively, you can accomplish the same thing by prepending a ! to the user’s password in /etc/shadow (this is all passwd -l does behind the scenes). And passwd -u will undo this.
Method 2
The man page of passwd(1) says about passwd -l:
Note that this does not disable the account. The user may still
be able to login using another authentication token (e.g. an SSH
key). To disable the account, administrators should use usermod
–expiredate 1 (this set the account’s expire date to Jan 2,
1970).
So
usermod --expiredate 1 [LOGIN]
seems to me like the right way to disable an account a user should not be able to use anymore (e.g. because he left the company).
Method 3
There are two methods to prevent a user from being able to login:
- you can lock the user by editing
/etc/passwd - by directly issuing the
passwdcommand with the-lswitch
In the second case the user can login using another authentication token (e.g. an SSH key).
Method #1
- Find where is nologin: /bin/nologin or /bin/sbin/nologin
- Open a terminal and login as root
- Type
vi /etc/passwd
Now you are in passwd file press Ins to edit the file.
Change the below line with the nologin option (/bin/bash means the user is able to login).
root:x:0:0:root:/root:/bin/bash
to this. nologin means the user is unable to login.
root:x:0:0:root:/root:/bin/nologin
(or with /bin/sbin/nologin)
- Close the vi Esc :wq
Method #2
To lock user: passwd -l username
To unlock user: passwd -u username
Method 4
Its quite easy task you simply have to make some changes in /etc/passwd file.
Simply you have to change the shell which is generally by default /bin/bash I.e you can login using this shell change it to /bin/nologin or /bin/false. It is advisable to change it to /bin/nologin because /bin/false is outdated.
Method 5
Set /bin/false as a shell in /etc/passwd
Method 6
Assuming you want to start with a fresh user account:
sudo adduser --no-create-home --disabled-password --disabled-login <uname>
With usermod --expiredate 1 <uname> I had the problem that this account cannot be used for nothing anymore (e.g. for samba logins). My use-case was that I want to disable all functionality for ssh, ordinary, … logins but still use it as a Samba user.
Method 7
When we lock the user using the passwd -l user command, “!!” are indicated in the /etc/shadow file. But we can still able to switch to a user shell from the root account, but not able to switch to user account by other normal users login shell.
We can also disable account by providing /bin/nologin or /bin/false in to /etc/passwd file. So user may not able to login in.
Method 8
You can use the command
usermod -s /sbin/nologin username
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0