You can use the passwd command to change user or group accounts password. A normal user may only change the password for his/her own account, the super user (root) may change the password for any account. You can use the passwd command for locking or unlocking an account on a Linux operating systesm.
Task: Linux locking an account
The syntax is as follows for locking down the account. It is performed by rendering the encrypted password into an invalid string by prefixing the encrypted string with an !. The -l option is available to root user only:
passwd -l {username} |
The -l option disables an account by changing the password to a value which matches no possible encrypted value. In this example, lock user account named vivek. First, login as a root user and type the following command:
# passwd -l vivek
Sample outputs:
Locking password for user vivek. passwd: Success
Task: Linux Unlocking an Account
The syntax is as follows and the -u option is available to root user only:
passwd -u {username} |
The -u option re-enables an account by changing the password back to its previous value i.e. to value before using -l option. To unlock user account named vivek. Login as a root user and type following command:
# passwd -u vivek
Sample outputs:
Unlocking password for user vivek. passwd: Success
Task: Root can access any account
The syntax is:
su - {username} su - vivek |
Sample session: Disable a user’s login without disabling the account
See also:
A note about the ssh public key based authentication
User account locked with the -l option can still log in by other methods such as the ssh public key authentication. Use the following command to for full account locking:
chage -E 0 {username} ## full lockdown for user named vivek ## chage -E 0 vivek |
Sample outputs:
How can I remove an account expiration date?
The syntax is:
chage -E -1 vivek chage -l vivek ## optional: assign a new password for vivek ## # passwd vivek |
Sample outputs:
Last password change : Feb 15, 2015 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
User can now login using ssh public key or password:
ssh vivek@nas01 ssh -Y vivek@nas01 |
Sample outputs:
Linux nas01 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u1 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Sun Feb 15 18:13:45 2015 from 192.168.1.4 vivek@nas01:~$ |
- Search for all account without password and lock them (includes sample script for FreeBSD/Linux/Sun Solaris)
- Man pages: passwd(1),chage(1),passwd(5)
21 comment
how to lock the file or directory so that others cant even open it
change the file permissions….
#chmod 777
for full permissions rwx
and
#chmod 700
so that no can able to access in your files or dir. then user means u have the full permissions but others do not…
once you have locked an account, is there any way to view a comfirmation of some sort of that locked account? Or even better print an account showing its locked somehow?
say for audit purposes?
jamie, you can get a list of locked accounts with the passwd command:
$ sudo passwd -Sa | awk ‘($2 == “L”)’
I tried your command and I got an invalid option
sudo passwd -Sa | awk ‘($2 == “Lâ€)’
option requires a username and unknow option with -S
Just wondering if there was something I am missing. We are on Red Hat Enterprise servers.
Still works for me. I’m on Ubuntu 10.04. Maybe you have a different version of the passwd command?
-a is not an option for CentOS 6 version of passwd.
Anthony
IS any way can display the message if the “Account is Locked Plsease Contact Systems Dept” when account is locked by the pam_d module in the Linux
@Karthik: setting the expiration date (chage -E 1), but NOT locking the password (i.e. don’t use usermod -L) gives the behavior you want: when a user attempts to login, and provides their password or ssh-key, they get the message (on Ubuntu10.10 anyway):
Your account has expired; please contact your system administrator
also using
usermod -L username
Hi,
Is any way to lock the account automatically which is not used for more than 20 days.
Bhagesh P,
here’s a first try:
lastlog -b 20 | tail -n +2 | cut -d ‘ ‘ -f 1 | xargs -n1 echo usermod -L
That locks any account not logged into for 20 or more days. Note that “logged into” seems to mean pseudo terminal and ssh logins, but not GUI logins (for Gnome/GDM in Ubuntu anyways).
Is it possible to have an account as non login account on Linux, Solaris or HPUx.
As on Solaris10, we can have an account with non login or no passwd.
e.g
# passwd -N testuser
passwd: password information changed for testuser
–> Show password attributes
# passwd -s testuser
gmb NL
–> Shadow file entry
# grep “^testuser:” /etc/shadow
testuser:NP:12683::::::
You will notice that the user’s original password has been removed and replaced with the string “NP”. This account is now a non-login account and the original password has been discarded. You will not be able to login to this account, but the account will be able to make use of delayed execution facilities. To re-enable an account for interactive logins, simply reassign a password to the account using the passwd(1) command.
Nopes The above wont lock a account, It i will lock the password only.
If the user has ssh-keys set.. he is still able to log into the account.
@Arpit: thanks!
Arpit is correct: usermod -L <user> only prevents password logins. I
looked into this and found another easy solution, but there are some
caveats.
Looking at the man page for usermod, the -L entry says:
Note: if you wish to lock the account (not only access with a password),
you should also set the EXPIRE_DATE to 1.
But BE CAREFUL: moduser can change the expire date with -e, but that
options expects a YYYY-MM-DD formatted date, and if you do
usermod -e 1 <user>,
IT SETS THE EXPIRATION DATE TO THE CURRENT DATE! In conjunction with
the confusing documentation, this seems like a major bug to me …
Now, there are at least two ways to set the expire date to the “1”
that the usermod man page suggests. But first, what does “1” mean?
According to the shadow and chage man pages, it’s the number of days
since 1 January 1970 (the unix epoch). So, the point is that (1+1)
January 1970 is in the past, and actually any VALID date in the past
would effectively lock the account.
Another WARNING: but don’t think you can simply set the date
arbitrarily: dates before 1 Jan 1970 are not valid, and passing such a
date to usermod appears to succeed, but then /etc/shadow is corrupted
and subsequent commands, INCLUDING usermod, can not edit
<user>’s entry (e.g. chage will add a second entry for that user
and pwck will suggest you delete the entry with the bad date!).
OK, so how to set the expire date correctly? Two easy ways:
1. with chage: chage -E 1 <user>. then use chage -l <user> to see that
the expiration date is in the past.
2. with usermod: usermod -e 1970-01-02 <user>.
If you screw something up (e.g. by passing usermod a date before 1
January 1970), you can edit /etc/shadow manually with vipw -s.
Thanks again to Arpit for pointing out that usermod -L was not really
locking the accounts.
NB: the above may be Debian (and derivatives, e.g. Ubuntu) specific.
Actually
usermod -e 1 foouser
works just fine in Ubuntu 11.04
check with
chage -l foouser
@ enoksrd
No need for thanks, Sorry I wasnt online for long.
Will the solution work for LDAP Users also which are on linux clients configured using authconfig
I have a scenerio where LDAP users gets locked after giving three wrong password attempts but they can login using ssh. how can i block them.
why is my account locked?please open theaccount
^ lol
^ Die laughing