≡ Menu

Linux Locking An Account

How do I lock an account (user login id) under Linux operating system? How can I disable a user's login without disabling the account on a Linux based server?

You can use the passwd command to change user or group accounts password. A normal user may only change the password for his/her own account, the super user (root) may change the password for any account. You can use the passwd command for locking or unlocking an account on a Linux operating systesm.

Task: Linux locking an account

The syntax is as follows for locking down the account. It is performed by rendering the encrypted password into an invalid string by prefixing the encrypted string with an !. The -l option is available to root user only:

passwd -l {username}

The -l option disables an account by changing the password to a value which matches no possible encrypted value. In this example, lock user account named vivek. First, login as a root user and type the following command:

# passwd -l vivek

Sample outputs:

Locking password for user vivek.
passwd: Success

Task: Linux Unlocking an Account

The syntax is as follows and the -u option is available to root user only:

passwd -u {username}

The -u option re-enables an account by changing the password back to its previous value i.e. to value before using -l option. To unlock user account named vivek. Login as a root user and type following command:

# passwd -u vivek

Sample outputs:

Unlocking password for user vivek.
passwd: Success

Task: Root can access any account

The syntax is:

su - {username}
su - vivek

Sample session: Disable a user's login without disabling the account

Fig.01: How to Linux disable a user's login without disabling  account

Fig.01: How to Linux disable a user's login without disabling account

See also:

A note about the ssh public key based authentication

User account locked with the -l option can still log in by other methods such as the ssh public key authentication. Use the following command to for full account locking:

chage -E 0 {username}
## full lockdown for user named vivek ##
chage -E 0 vivek

Sample outputs:

Fig.02: Linux chage command set and unset expire date for given user account

Fig.02: Linux chage command set and unset expire date for given user account

How can I remove an account expiration date?

The syntax is:

chage -E -1 vivek
chage -l vivek
## optional: assign a new password for vivek ##
# passwd vivek

Sample outputs:

Last password change					: Feb 15, 2015
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

User can now login using ssh public key or password:

ssh vivek@nas01
ssh -Y vivek@nas01

Sample outputs:

Linux nas01 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Sun Feb 15 18:13:45 2015 from

{ 21 comments… add one }

  • umesh September 26, 2007, 11:54 am

    how to lock the file or directory so that others cant even open it

    • JTJ April 26, 2011, 10:40 am

      change the file permissions….
      #chmod 777
      for full permissions rwx
      #chmod 700
      so that no can able to access in your files or dir. then user means u have the full permissions but others do not…

  • jamie October 15, 2008, 2:07 pm

    once you have locked an account, is there any way to view a comfirmation of some sort of that locked account? Or even better print an account showing its locked somehow?

    say for audit purposes?

  • Nathan Collins November 11, 2008, 7:02 am

    jamie, you can get a list of locked accounts with the passwd command:

    $ sudo passwd -Sa | awk ‘($2 == “L”)’

    • Michael March 10, 2011, 4:21 pm

      I tried your command and I got an invalid option

      sudo passwd -Sa | awk ‘($2 == “L”)’

      option requires a username and unknow option with -S

      Just wondering if there was something I am missing. We are on Red Hat Enterprise servers.

      • Nathan Collins March 11, 2011, 7:37 am

        Still works for me. I’m on Ubuntu 10.04. Maybe you have a different version of the passwd command?

      • Anthony September 28, 2015, 6:48 pm

        -a is not an option for CentOS 6 version of passwd.


  • karthik rajan September 11, 2009, 9:42 am

    IS any way can display the message if the “Account is Locked Plsease Contact Systems Dept” when account is locked by the pam_d module in the Linux

    • enoksrd April 8, 2011, 11:27 pm

      @Karthik: setting the expiration date (chage -E 1), but NOT locking the password (i.e. don’t use usermod -L) gives the behavior you want: when a user attempts to login, and provides their password or ssh-key, they get the message (on Ubuntu10.10 anyway):

      Your account has expired; please contact your system administrator

  • suranga October 13, 2009, 2:16 pm

    also using
    usermod -L username

  • Bhagesh P June 26, 2010, 9:59 am


    Is any way to lock the account automatically which is not used for more than 20 days.

    • enoksrd June 26, 2010, 10:18 pm

      Bhagesh P,

      here’s a first try:

      lastlog -b 20 | tail -n +2 | cut -d ‘ ‘ -f 1 | xargs -n1 echo usermod -L

      That locks any account not logged into for 20 or more days. Note that “logged into” seems to mean pseudo terminal and ssh logins, but not GUI logins (for Gnome/GDM in Ubuntu anyways).

  • Rinkal October 19, 2010, 10:07 am

    Is it possible to have an account as non login account on Linux, Solaris or HPUx.
    As on Solaris10, we can have an account with non login or no passwd.
    # passwd -N testuser
    passwd: password information changed for testuser

    –> Show password attributes
    # passwd -s testuser
    gmb NL

    –> Shadow file entry
    # grep “^testuser:” /etc/shadow

    You will notice that the user’s original password has been removed and replaced with the string “NP”. This account is now a non-login account and the original password has been discarded. You will not be able to login to this account, but the account will be able to make use of delayed execution facilities. To re-enable an account for interactive logins, simply reassign a password to the account using the passwd(1) command.

  • Arpit Tolani April 8, 2011, 10:13 am

    Nopes The above wont lock a account, It i will lock the password only.

    If the user has ssh-keys set.. he is still able to log into the account.

    • enoksrd April 8, 2011, 11:22 pm

      @Arpit: thanks!

      Arpit is correct: usermod -L <user> only prevents password logins. I
      looked into this and found another easy solution, but there are some

      Looking at the man page for usermod, the -L entry says:

      Note: if you wish to lock the account (not only access with a password),
      you should also set the EXPIRE_DATE to 1.

      But BE CAREFUL: moduser can change the expire date with -e, but that
      options expects a YYYY-MM-DD formatted date, and if you do

      usermod -e 1 <user>,

      the confusing documentation, this seems like a major bug to me …

      Now, there are at least two ways to set the expire date to the “1”
      that the usermod man page suggests. But first, what does “1” mean?
      According to the shadow and chage man pages, it’s the number of days
      since 1 January 1970 (the unix epoch). So, the point is that (1+1)
      January 1970 is in the past, and actually any VALID date in the past
      would effectively lock the account.

      Another WARNING: but don’t think you can simply set the date
      arbitrarily: dates before 1 Jan 1970 are not valid, and passing such a
      date to usermod appears to succeed, but then /etc/shadow is corrupted
      and subsequent commands, INCLUDING usermod, can not edit
      <user>’s entry (e.g. chage will add a second entry for that user
      and pwck will suggest you delete the entry with the bad date!).

      OK, so how to set the expire date correctly? Two easy ways:

      1. with chage: chage -E 1 <user>. then use chage -l <user> to see that
      the expiration date is in the past.

      2. with usermod: usermod -e 1970-01-02 <user>.

      If you screw something up (e.g. by passing usermod a date before 1
      January 1970), you can edit /etc/shadow manually with vipw -s.

      Thanks again to Arpit for pointing out that usermod -L was not really
      locking the accounts.

      • enoksrd April 8, 2011, 11:42 pm

        NB: the above may be Debian (and derivatives, e.g. Ubuntu) specific.

        • no September 8, 2011, 5:37 pm

          usermod -e 1 foouser
          works just fine in Ubuntu 11.04
          check with
          chage -l foouser

      • Arpit Tolani May 10, 2011, 12:08 am

        @ enoksrd

        No need for thanks, Sorry I wasnt online for long.

        Will the solution work for LDAP Users also which are on linux clients configured using authconfig
        I have a scenerio where LDAP users gets locked after giving three wrong password attempts but they can login using ssh. how can i block them.

  • tharnge February 20, 2012, 2:24 pm

    why is my account locked?please open theaccount

    • Drew January 25, 2013, 8:32 pm

      ^ lol

  • r00000t March 5, 2013, 7:57 am

    ^ Die laughing

Leave a Comment

   Tagged with: , , , , ,