Linux Disable Shell / FTP Access For a User Account

My users will only be checking mail, and I want to disable FTP access as well as shell access under CentOS Linux. How do I disable shell (SSH) and FTP access to a new or old user under Linux without deleting user account?

You can easily disable shell, ssh and FTP access to a user using following commands:

  1. chsh command : It used to change your login shell.
  2. /sbin/nologin: Displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled.

Task: Disable Linux User Shell Account

Type the following command to disable shell access for tom:
# chsh -s /sbin/nologin {username}
# chsh -s /sbin/nologin tom

Sample Outputs:

Changing shell for tom
Shell changed.


  1. -s /sbin/nologin: Politely refuse a login
  2. tom : The user name you wish to deny shell access to.

Task: Disable Linux FTP User Account

If you have VSFTPD ftp server or other FTP server add user to /etc/ftpusers or /etc/vsftpd/ftpusers (VSFTPD) file.
# echo tom >> /etc/ftpuser
# echo tom >> /etc/vsftpd/ftpusers
Any user name added to /etc/ftpusers or /etc/vsftpd/ftpusers will prevent them from logging into FTP. However, this will still allow user to login via email (webmail or pop3 / IMAP) and download emails without shell access.

A Note About PAM and access.conf

Apart from above two method Linux supports pam and access.conf login tables.

Pam modules can be used to enable or disable access to certain services such as vsftpd, ssh, and so on. /etc/security/access.conf act as login access control table, which is useful to deny or login access based upon ip address, network location or tty name. When someone logs in, the file is scanned for the first entry that matches the (user, host) combination, or, in case of non-networked logins, the first entry that matches the (user, tty) combination. The permissions field of that table entry determines whether the login will be accepted or refused. See how to use pam modules to enable or disable login access. For e.g. deny access to tom, enter the following in /etc/security/access.conf
- : tom : ALL

  • – : Deny access. a “+” character (plus) for access granted or a “-” character (minus) for access denied.
  • tom: Username. It should be a list of one or more login names, group names, or ALL (which always matches).
  • ALL : Deny access from all ip address.

Further readings:

  • man pages access.conf, nologin, pam, chsh, vsftpd.conf

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 14 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
14 comments… add one
  • daniels Jun 24, 2009 @ 11:52

    Why not use virtual users for email?

  • anurdh65 Jun 25, 2009 @ 4:24


    Thanks for this information. Can anybody help me to get the ip address as Linux coding. I normally use the website ip details to get the ip address for windows. But i want to get the ip address for teh linux platform can anybody help me for the coding

  • Vishal Jun 25, 2009 @ 14:08

    Can you elaborate your question pls?

  • Rick Jun 25, 2009 @ 17:38


    To get the ip address of a linux box, type the following from the command prompt (bash shell):


    Sometimes you can also get ip information using the following hack:

    host `hostname`

    To get the ip address of a windows box, type the following form the command promt (dos shell):


  • Tim (kb0odu) Jun 26, 2009 @ 0:29

    To get the just the IP Address under linux, try the following command:
    ifconfig eth1 | grep 'inet'
    This will return both the IPv4 and IPv6 Addresses. If you only want the IPv4 Address, try the following:
    ifconfig eth1 | grep 'Bcast'
    Change to the appropriate interface if it isn’t eth1.

  • Markus Jun 27, 2009 @ 7:34

    Setting shell to nologin do not prevent the user to forward ports with SSH.

  • Alfa Nov 12, 2009 @ 2:37

    alternative, you can edit /etc/passwd.
    Before :

    After :

  • Anonymous Dec 27, 2009 @ 2:20

    You can disable the account by locking it with:
    passwd -l {username}
    What it does is place a ‘!’ in front of the encrypted password in /etc/shadow.

    • KlausRo Dec 9, 2011 @ 0:49

      Awesome, thanks for this tip!

  • harish Apr 23, 2011 @ 4:42

    how to enable the ssh account when it is disabled by chsh

  • Jesse Jul 8, 2011 @ 20:06

    I wanted to have an account that could only FTP and not have any shell access.
    I used the above mentioned ‘chsh -s /sbin/nologin’ but then it would not allow login to FTP either.
    I have restored with ‘chsh -s /bin/bash username’.

    Any idea on how to allow an account FTP access but no shell access?

  • ip intel Oct 7, 2011 @ 13:20

    n~#usermod -h

  • last Jan 2, 2012 @ 16:33

    Folks help please
    I am a new sys admin and when I arrived at org someone had already installed and configured centos 5 linux server. I wanted to allow only to users acess to internet. so I found out that 5 users are on dhcp and they connect to internet..yet even when i put the rest on dhcp, they still cant access internet. The rest are on static ip and even if you add the gateway they wont get internet. please help me as to how I can give some access to internet or deny. the former guy never left documentation. hey, tell me also what i need to do becuase now I dont know how to block or allow access

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum