How to disable user accounts in Linux
Linux systems use /etc/shadow to store the encrypted user passwords. The quickest way to disable a user is to alter is password stored in /etc/shadow. Normally an active user account will have one line in /etc/shadow that will look like:
user:$1$eFd7EIOg$EeCk6XgKktWSUgi2pGUpk.:13852:0:99999:7:::
where the second field is the encrypted password.
If we replace the password with “*” or “!” this will make the account unusable, and it will mean that no login is permitted for the user:
user:*:13852:0:99999:7:::
This method has the disadvantage that the user password will be lost (unless saved somewhere, etc.) in the case we will want to re-enable it again later. From this point of view a much better method is to use the passwd command to lock the account:
passwd
and the output of the successful change will be “Password changed.”. This actually just changes the shadow file and adds “!” in front of the user password:
user:!$1$eFd7EIOg$EeCk6XgKktWSUgi2pGUpk.:13852:0:99999:7:::
Of course we could do this manually ourselves also if we want
If you will ever need to re-enable the account just unlock it:
passwd
or just remove manually the “!” character from the user’s password line in /etc/shadow.
Of course if you don’t need all this stuff and you just want to permanently remove the user just run:
userdel
this will keep his old files (home directory, mails, etc.) or to delete all his files on the system:
userdel -r
Changing the user password (and also locking) will still allow him to connect using ssh via key-based auth. If this is used, then the user’s authorized_keys must me moved to a different location.
Category: Linux Administration
Subscribe
If you enjoyed this article, subscribe to receive more just like it.
