One my user leaves the office and I'd like to disable her access to our UNIX / Linux system. How do I delete ssh key from the UNIX systems so that user can not log in?
The first step is to disable user login using command as follows:
Linux Lock An Account
# passwd -l userName
# passwd -l vivek
FreeBSD Local An Account
# pw lock userName
# pw local vivek
Solaris / HP-UX UNIX Lock An Account
# passwd -l userName
# passwd -l vivek
Remove SSH Keys
$HOME/.ssh/ stores all required keys. Simply rename the directory or delete the directory:
# mv /home/vivek/.ssh /home/vivek/nosshlogin
OR
# rm -rf /home/vivek/.ssh
For remote server edit $HOME/.ssh/authorized_keys or $HOME/.ssh/authorized_keys2 file and remove public key. This will delete login from home computer into your server. Finally, you can always delete user from your system using the pw (FreeBSD) or userdel (Linux / UNIX) command.
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 5 comments… read them below or add one }
Puppet rocks.
Change ‘ensure => present’ to ‘ensure => absent’.
I can remove ssh access to hundreds of machines with one tweak.
+1 for Puppet.
I’ve been out of the loop on disabling accounts for a while. What has changed?
1. The user continues to receive e-mail. Any rules could still be executed.
2. cron and at jobs still run.
3. I can’t remember if sudo commands configured as NOPASSWD could still be run.
Short of deleting the user, we always prepended an additional character to the name if the user might return. That broke the e-mail/cron connection. I don’t know enough about Puppet or cfengine to know if changing the username in this way is possible.
The following lists various options while removing accounts:
Help: Old Employees Accessing The Linux Server
we also may edit /etc/ssh/sshd_config and by addid the line:
DenyUsers [user name]
we may disable the possibility of logining by this user.