By default when you add new user to system (/etc/passwd file) it grant shell access. If you are creating new users for POP3 or SMTP (mail server) or FTP then you do not need to grant shell access to a user. Remember as soon as you add a user he/she can login via telnet or ssh. The best way to put Linux shell access restriction is to use special shell called nologin, which politely refuse a login. It displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled or have other user level access such as ftp, pop3, smtp etc. This is a very common practice followed by ISP or web hosting service provider’s web, mail and FTP server(s).
/sbin/nologin Example
(a) First make sure nologin exists in /etc/shells file (else service such as ftp may not allow login)
# less /etc/shells
If nologin shell does not exist in above shell list, just add /sbin/nologin shell to it:
# echo "/sbin/nologin" >> /etc/shells
If you are using Debian then use following path:
# echo "/usr/sbin/nologin" >> /etc/shells
(b) Block shell access for user vivek (vivek user account must exits):
# usermod -s /sbin/nologin vivek
Debain Linux user modify above command as follows:
# usermod -s /usr/sbin/nologin vivek
Now user vivek’s new login shell is /sbin/nologin. Vivek allowed to use other services such as ftp, pop3 but not shell access via ssh or telnet.
New user accounts
Add a new user called tony with no shell access:
# useradd -s /sbin/nologin tony
Debain / Ubuntu Linux user modify above command as follows:
# useradd -s /usr/sbin/nologin tony
Please note that above method is very easy to use but if you have a large setup. you need to take help of PAM (and may be OpenLDAP / MySQL). I will cover such setup some time later :).
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 13 comments... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Hi,
How to enable the accounts from /sbin/nologin ?
when we create one user in /sbin/nologin. can we able to access that user via WINSCP ??
Thank you very-very much for this usefull post.
Hi,
Can someone tell me what is ” /s$ ” in /etc/passwd file instead of /sbin/nologin ?
someuser:x:1022:1022::System User for someuser:/home/someuser/:/s$
Thank You
/s$ that is an unusual shell name. I hope you are not hacked. Is someuser was created by you?
Yes, the “someuser” was crated by me for some time.. I searched on google but I didn’t find any answer… about /s$.
And is true, this think is on a hacked server… by a rootkit — SHV4 or SHV5. and I want to see how was hacked…
Thank You!
adduser --disabled-login is **NOT** the right thing to use for blocking shell access!!
Enter “man adduser” and look for this description:
--disabled-login Do not run passwd to set the password. The user won't be able to use her account until the password is set.if you just want to get a new real user try “adduser –help” for normal user it should be the option “–disabled-login” or maybe you want to create a system user try “adduser –system –no-create-home USER”.
Isn’t it the same than creating a new user with
adduser –disabled-login USER
?
Thanks
Man!You save my day! Thank you very-very much for this usefull post.
At least i learned new security measure how to separate UID’s on my test webserver.
God Bless You.
I protest. This article is prejudiced against Tony.
I WANT MY BASH ACCESS!
(Really, thanks. I was looking for a way to make an ftp user with no shell access on a debian box. This was precisely what I needed.)
Mantizke, you control that in /etc/ssh/sshd_config:
AllowUsers user
in this case, only user may login and all other users are denied access.
this does not work for me on debian system. however, nologin exist but the command did not work 🙁 (user CAN still login via ssh)