Creating user accounts on Linux can be easy and was discussed in another tutorial. Many people need to create and remove user accounts but few people actually consider wanting to disable them.
Luckily if you wish to disable a user account, it isn't that hard. This guide will demonstrate how to easily disable or enable an account using a very common command.
The things you will need before starting:
- Access to a Linux Desktop or Server.
- Access to the root account or an account with sudo access.
Before starting: If you want to permanently disable a user account, it should probably just be removed.
This tutorial will use a command named passwd. Passwd is used to set a password for a user. Earlier in the tutorial "How to add and remove user accounts in Linux" the passwd command was used to set the password of newuser. Passwd can be used to change your own password or the password of another account as long as the user account you are using has sudo or root access.
In command line operating systems we use options added to commands to render a new result or modify the command in some way.
In UNIX-like Operating Systems user account info is stored in /etc/passwd and/or /etc/shadow. Looking at the shadow file a user account with a password may look like this:
newuser:$6$AgOf53ma$Y/A2c0L6fKMctw4FF1qmIBWF2hT5xAms945eDz9VXz73i4RjAH5ZJqIIRaqSceuQ6YhlMe3ilsLRDbej.Z7b81:16182:0:99999:7:::
Disabling a User Account
We will use the -l option to lock the user account. This will preserve the password in the shadow file but will disable login so that the password does not need to be reset after it is unlocked.
$ sudo passwd -l newuserPlease note that there was an exclamation mark (!) added to the beginning of the hashed password section.
newuser:!$6$AgOf53ma$Y/A2c0L6fKMctw4FF1qmIBWF2hT5xAms945eDz9VXz73i4RjAH5ZJqIIRaqSceuQ6YhlMe3ilsLRDbej.Z7b81:16182:0:99999:7:::
Re-enabling a User Account
We will use the -u option to unlock the user account. This will remove the exclamation mark (!) added in the previous step.
$ sudo passwd -u newuserPlease note that the exclamation point was removed from the beginning of the hashed password section.
newuser:$6$AgOf53ma$Y/A2c0L6fKMctw4FF1qmIBWF2hT5xAms945eDz9VXz73i4RjAH5ZJqIIRaqSceuQ6YhlMe3ilsLRDbej.Z7b81:16182:0:99999:7:::
Disabling users through other methods
Examining some of the other ectopy in the shadow file:
Asterisks (*): You may find an asterisk (*) in the place of the hashed password. The asterisk indicates that login is disabled for the user account through the use of a password but can login through other means. This may mean ssh keys, Kerberos or other method of authentication.
sshd:*:16005:0:99999:7:::
Exclamation Marks (!): There may also be an exclamation mark (!) in place of the password entirely. This means that the user account is locked, but that it was locked without a previously set hashed password.
libuuid:!:16005:0:99999:7:::
It would be necessary to edit the /etc/shadow file directly, but it is not advocated.
It is suggested that if there is a need for expiring passwords to please reference the man pages for the passwd command through the command line man passwd.
You can now disable user accounts and re-enable them when necessary without removing users and having to recreate them.