Linux Locking An Account

by on January 4, 2006 · 20 comments· LAST UPDATED February 15, 2012

in

How do I lock an account (user login id) under Linux operating system?

You can use the passwd command to change user or group accounts password. A normal user may only change the password for his/her own account, the super user (root) may change the password for any account. You can use the passwd command for locking or unlocking an account.

Task: Linux Locking an Account

The syntax is as follows:

 
passwd -l {username}
 

The -l option disables an account by changing the password to a value which matches no possible encrypted value. In this example, lock user account named vivek. First, login as a root user and type the following command:

# passwd -l vivek

Task: Linux Unlocking an Account

The syntax is as follows:

 
passwd -u {username}
 

The -u option re-enables an account by changing the password back to its previous value i.e. to value before using -l option. To unlock user account named vivek. Login as a root user and type following command:

# passwd -u vivek

See also:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 20 comments… read them below or add one }

1 umesh September 26, 2007 at 11:54 am

how to lock the file or directory so that others cant even open it

Reply

2 JTJ April 26, 2011 at 10:40 am

change the file permissions….
#chmod 777
for full permissions rwx
and
#chmod 700
so that no can able to access in your files or dir. then user means u have the full permissions but others do not…

Reply

3 jamie October 15, 2008 at 2:07 pm

once you have locked an account, is there any way to view a comfirmation of some sort of that locked account? Or even better print an account showing its locked somehow?

say for audit purposes?

Reply

4 Nathan Collins November 11, 2008 at 7:02 am

jamie, you can get a list of locked accounts with the passwd command:

$ sudo passwd -Sa | awk ‘($2 == “L”)’

Reply

5 Michael March 10, 2011 at 4:21 pm

I tried your command and I got an invalid option

sudo passwd -Sa | awk ‘($2 == “L”)’

option requires a username and unknow option with -S

Just wondering if there was something I am missing. We are on Red Hat Enterprise servers.

Reply

6 Nathan Collins March 11, 2011 at 7:37 am

Still works for me. I’m on Ubuntu 10.04. Maybe you have a different version of the passwd command?

Reply

7 karthik rajan September 11, 2009 at 9:42 am

IS any way can display the message if the “Account is Locked Plsease Contact Systems Dept” when account is locked by the pam_d module in the Linux

Reply

8 enoksrd April 8, 2011 at 11:27 pm

@Karthik: setting the expiration date (chage -E 1), but NOT locking the password (i.e. don’t use usermod -L) gives the behavior you want: when a user attempts to login, and provides their password or ssh-key, they get the message (on Ubuntu10.10 anyway):

Your account has expired; please contact your system administrator

Reply

9 suranga October 13, 2009 at 2:16 pm

also using
usermod -L username

Reply

10 Bhagesh P June 26, 2010 at 9:59 am

Hi,

Is any way to lock the account automatically which is not used for more than 20 days.

Reply

11 enoksrd June 26, 2010 at 10:18 pm

Bhagesh P,

here’s a first try:

lastlog -b 20 | tail -n +2 | cut -d ‘ ‘ -f 1 | xargs -n1 echo usermod -L

That locks any account not logged into for 20 or more days. Note that “logged into” seems to mean pseudo terminal and ssh logins, but not GUI logins (for Gnome/GDM in Ubuntu anyways).

Reply

12 Rinkal October 19, 2010 at 10:07 am

Is it possible to have an account as non login account on Linux, Solaris or HPUx.
As on Solaris10, we can have an account with non login or no passwd.
e.g
# passwd -N testuser
passwd: password information changed for testuser

–> Show password attributes
# passwd -s testuser
gmb NL

–> Shadow file entry
# grep “^testuser:” /etc/shadow
testuser:NP:12683::::::

You will notice that the user’s original password has been removed and replaced with the string “NP”. This account is now a non-login account and the original password has been discarded. You will not be able to login to this account, but the account will be able to make use of delayed execution facilities. To re-enable an account for interactive logins, simply reassign a password to the account using the passwd(1) command.

Reply

13 Arpit Tolani April 8, 2011 at 10:13 am

Nopes The above wont lock a account, It i will lock the password only.

If the user has ssh-keys set.. he is still able to log into the account.

Reply

14 enoksrd April 8, 2011 at 11:22 pm

@Arpit: thanks!

Arpit is correct: usermod -L <user> only prevents password logins. I
looked into this and found another easy solution, but there are some
caveats.

Looking at the man page for usermod, the -L entry says:

Note: if you wish to lock the account (not only access with a password),
you should also set the EXPIRE_DATE to 1.

But BE CAREFUL: moduser can change the expire date with -e, but that
options expects a YYYY-MM-DD formatted date, and if you do

usermod -e 1 <user>,

IT SETS THE EXPIRATION DATE TO THE CURRENT DATE! In conjunction with
the confusing documentation, this seems like a major bug to me …

Now, there are at least two ways to set the expire date to the “1″
that the usermod man page suggests. But first, what does “1″ mean?
According to the shadow and chage man pages, it’s the number of days
since 1 January 1970 (the unix epoch). So, the point is that (1+1)
January 1970 is in the past, and actually any VALID date in the past
would effectively lock the account.

Another WARNING: but don’t think you can simply set the date
arbitrarily: dates before 1 Jan 1970 are not valid, and passing such a
date to usermod appears to succeed, but then /etc/shadow is corrupted
and subsequent commands, INCLUDING usermod, can not edit
<user>’s entry (e.g. chage will add a second entry for that user
and pwck will suggest you delete the entry with the bad date!).

OK, so how to set the expire date correctly? Two easy ways:

1. with chage: chage -E 1 <user>. then use chage -l <user> to see that
the expiration date is in the past.

2. with usermod: usermod -e 1970-01-02 <user>.

If you screw something up (e.g. by passing usermod a date before 1
January 1970), you can edit /etc/shadow manually with vipw -s.

Thanks again to Arpit for pointing out that usermod -L was not really
locking the accounts.

Reply

15 enoksrd April 8, 2011 at 11:42 pm

NB: the above may be Debian (and derivatives, e.g. Ubuntu) specific.

Reply

16 no September 8, 2011 at 5:37 pm

Actually
usermod -e 1 foouser
works just fine in Ubuntu 11.04
check with
chage -l foouser

Reply

17 Arpit Tolani May 10, 2011 at 12:08 am

@ enoksrd

No need for thanks, Sorry I wasnt online for long.

Will the solution work for LDAP Users also which are on linux clients configured using authconfig
I have a scenerio where LDAP users gets locked after giving three wrong password attempts but they can login using ssh. how can i block them.

Reply

18 tharnge February 20, 2012 at 2:24 pm

why is my account locked?please open theaccount

Reply

19 Drew January 25, 2013 at 8:32 pm

^ lol

Reply

20 r00000t March 5, 2013 at 7:57 am

^ Die laughing

Reply

Leave a Comment

Tagged as: , , , , , , , ,

Previous Faq:

Next Faq: