How to Lock and Unlock User in Linux
How do you lock a user account in Linux? Even more importantly, how do you unlock the user in Linux? Learn various ways of locking and unlocking users in Linux command line.
There could be a number of reasons why you would want to disable a user in your multi-user Linux environment. Perhaps an employee left the organization and instead of deleting the user altogether, lock the account for archival purpose.
In this tutorial, I’ll show you three ways to lock a user in Linux command line. I’ll also discuss how to unlock the user.
Please note that to do these changes, you need to either root or have root access via sudo.
Method 1: Lock and unlock users with passwd command
The passwd command in Linux deals with passwords of a user account. You can also use this command to lock a user account.
The command basically works on the /etc/passwd file. You may manually modify this file but I advise against it.
To lock a user with the passwd command, you can use the option -l or –lock in this manner:
passwd -l user_name
Verify the status of a user with passwd command
You can learn whether a user is locked or unlocked using the option -S or –status of passwd command.
passwd -S user_name
Look at the second field in the output. Here’s what it means:
– P or PS: password is set (user is unlocked)
– L or LK: User is locked
– N or NP: No password is needed by the user
Here’s a sample output of the passwd command:
standard P 10/14/2019 0 99999 7 -1
To unlock the user with passwd command, you can use the option -u or –unlock:
passwd -u user_name
On Ubuntu, you’ll see an output like this for both locking and unlocking the user:
passwd: password expiry information changed
What about login via SSH?
There is a major problem with locking users this way. Since it only works with the /etc/passwd file, the locked user will still be able to log in via SSH keys (if login via SSH key is set). I’ll show you how to deal with it in the next section.
Method 2: Lock and unlock users with usermod command
You can also use the usermod command. The command is primarily used for modifying user accounts in Linux. You can also modify the state of a user by locking or unlocking with usermod.
To lock the user, you can use the -L option in this manner:
usermod -L user_name
To unlock the user, you can use the -U option:
usermod -U user_name
How do you verify if the user is locked or not? The usermod command also works on the /etc/passwd file so you can use the passwd -S user_name command to check the status of the user.
But usermod also works with the /etc/passwd file so this means the locked user could still be able to login via SSH keys, right? That’s right. But there are ways to overcome this problem.
For example, you can change the shell of the user to nologin and this will not allow the user to login to a shell.
Another method is to lock the user and provide an expired date in the past. What it does is that it disables the account on a past date and then locks it.
Make sure that the past date is between 1970-01-02 and the current date.
usermod -L --expiredate 1970-01-02 user_name
You can reverse it with this command:
usermod -U --expiredate '' user_name
There is a similar way to lock the user in Linux with chage command. Let’s see it in the next section.
Method 3: Lock and unlock users with chage command
The chage command is used for changing the user password expiry information. It can be used to automatically lock an inactive user after certain number of days of inactivity.
Basically what you did with the usermod command in the previous section can be achieved with chage command like this:
chage -E 1 username
Basically, you have set the expired date to 1970-01-02. You can see the details like this:
abhishek@linuxhandbook:~$ sudo chage -l standard Last password change : Nov 07, 2019 Password expires : never Password inactive : never Account expires : Jan 02, 1970 Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
You can remove the expiry date and thus unlock the user in this manner:
chage -E -1 username
In the end…
As always, there are various ways to accomplish a task in Linux command line. I have shown here three methods to lock and unlock users in Linux. Do you know a better way or do you have some best practices suggestion for locking users? Do share it in the comment section.