≡ Menu

Linux Disable Shell / FTP Access For a User Account

My users will only be checking mail, and I want to disable FTP access as well as shell access under CentOS Linux. How do I disable shell (SSH) and FTP access to a new or old user under Linux without deleting user account?

You can easily disable shell, ssh and FTP access to a user using following commands:

  1. chsh command : It used to change your login shell.
  2. /sbin/nologin: Displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled.

Task: Disable Linux User Shell Account

Type the following command to disable shell access for tom:
# chsh -s /sbin/nologin {username}
# chsh -s /sbin/nologin tom

Sample Outputs:

Changing shell for tom
Shell changed.


  1. -s /sbin/nologin: Politely refuse a login
  2. tom : The user name you wish to deny shell access to.

Task: Disable Linux FTP User Account

If you have VSFTPD ftp server or other FTP server add user to /etc/ftpusers or /etc/vsftpd/ftpusers (VSFTPD) file.
# echo tom >> /etc/ftpuser
# echo tom >> /etc/vsftpd/ftpusers
Any user name added to /etc/ftpusers or /etc/vsftpd/ftpusers will prevent them from logging into FTP. However, this will still allow user to login via email (webmail or pop3 / IMAP) and download emails without shell access.

A Note About PAM and access.conf

Apart from above two method Linux supports pam and access.conf login tables.

Pam modules can be used to enable or disable access to certain services such as vsftpd, ssh, and so on. /etc/security/access.conf act as login access control table, which is useful to deny or login access based upon ip address, network location or tty name. When someone logs in, the file is scanned for the first entry that matches the (user, host) combination, or, in case of non-networked logins, the first entry that matches the (user, tty) combination. The permissions field of that table entry determines whether the login will be accepted or refused. See how to use pam modules to enable or disable login access. For e.g. deny access to tom, enter the following in /etc/security/access.conf
- : tom : ALL

  • - : Deny access. a "+" character (plus) for access granted or a "-" character (minus) for access denied.
  • tom: Username. It should be a list of one or more login names, group names, or ALL (which always matches).
  • ALL : Deny access from all ip address.

Further readings:

  • man pages access.conf, nologin, pam, chsh, vsftpd.conf

{ 14 comments… add one }

  • daniels June 24, 2009, 11:52 am

    Why not use virtual users for email?

  • anurdh65 June 25, 2009, 4:24 am


    Thanks for this information. Can anybody help me to get the ip address as Linux coding. I normally use the website ip details to get the ip address for windows. But i want to get the ip address for teh linux platform can anybody help me for the coding

  • Vishal June 25, 2009, 2:08 pm

    Can you elaborate your question pls?

  • Rick June 25, 2009, 5:38 pm


    To get the ip address of a linux box, type the following from the command prompt (bash shell):


    Sometimes you can also get ip information using the following hack:

    host `hostname`

    To get the ip address of a windows box, type the following form the command promt (dos shell):


  • Tim (kb0odu) June 26, 2009, 12:29 am

    To get the just the IP Address under linux, try the following command:
    ifconfig eth1 | grep 'inet'
    This will return both the IPv4 and IPv6 Addresses. If you only want the IPv4 Address, try the following:
    ifconfig eth1 | grep 'Bcast'
    Change to the appropriate interface if it isn’t eth1.

  • Markus June 27, 2009, 7:34 am

    Setting shell to nologin do not prevent the user to forward ports with SSH.

  • Alfa November 12, 2009, 2:37 am

    alternative, you can edit /etc/passwd.
    Before :

    After :

  • Anonymous December 27, 2009, 2:20 am

    You can disable the account by locking it with:
    passwd -l {username}
    What it does is place a ‘!’ in front of the encrypted password in /etc/shadow.

    • KlausRo December 9, 2011, 12:49 am

      Awesome, thanks for this tip!

  • harish April 23, 2011, 4:42 am

    how to enable the ssh account when it is disabled by chsh

  • Jesse July 8, 2011, 8:06 pm

    I wanted to have an account that could only FTP and not have any shell access.
    I used the above mentioned ‘chsh -s /sbin/nologin’ but then it would not allow login to FTP either.
    I have restored with ‘chsh -s /bin/bash username’.

    Any idea on how to allow an account FTP access but no shell access?

  • ip intel October 7, 2011, 1:20 pm

    n~#usermod -h

  • last January 2, 2012, 4:33 pm

    Folks help please
    I am a new sys admin and when I arrived at org someone had already installed and configured centos 5 linux server. I wanted to allow only to users acess to internet. so I found out that 5 users are on dhcp and they connect to internet..yet even when i put the rest on dhcp, they still cant access internet. The rest are on static ip and even if you add the gateway they wont get internet. please help me as to how I can give some access to internet or deny. the former guy never left documentation. hey, tell me also what i need to do becuase now I dont know how to block or allow access

Leave a Comment

   Tagged with: , , , , , , , , , , , , , , ,