Howto prevent non-root users from login into the system using nologin shell

How do you prevent non-root users from login into the system? How do you assign user ftp and mail access only? How do you make or set shell to nologin to politely refuse a login?

ADVERTISEMENTS

Fear not, it is easy to deny access to login shell 😀 . If the file /etc/nologin exists, login will allow access only to root. Other users will be shown the contents of this file and their logins will be refused. However if you need to give ftp or mail access add user shell /sbin/nologin.

Redhat (RHEL)/Fedora core/Cent OS specific example

For example allow user tom to use ftp and mail but no shell access. Use usermod command to setup new shell:
# usermod -s /sbin/nologin tom

You can also edit the /etc/passwd file and change the shell
From
/bin/bash
To
/sbin/nologin

Following program will not affected by this shell (/sbin/nologin):

  • FTP clients
  • mail clients
  • sudo
  • many setuid programs

Please note that it prevents access to the shell and logs the attempt. All of the following programs are prevented from accessing the user account:

  • telnet/login
  • gdm/kdm/xdm (graphical login)
  • su
  • ssh/scp/sftp etc

Debian / Ubuntu Linux specific example

Use /bin/false shell under Debian / Ubuntu Linux(do nothing, unsuccessfully login). To make shell nologin under Debian / Ubuntu for tom user, use :
$ sudo usermod -s /bin/false tom
OR
# sudo usermod -s /bin/false tom

Caution: Do not set root user shell to /sbin/nologin or /bin/false.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
14 comments… add one
  • Zach True Nov 17, 2006 @ 17:38

    On a Debian system, the nologin file does not exist. Is this a file that I can create? If so, do I stick it in /etc? Do I have to link it to a file in /sbin? Also, what should be the contents of the file?

    Thanks

    • Thibs Sep 16, 2011 @ 9:35

      By the way, the command chsh is designed for changing shell (instead of using usermod)

      e.g. :
      chsh -s /bin/false tom

  • 🐧 nixCraft Nov 17, 2006 @ 19:13

    Zach,

    Good question.

    Use /bin/false on Debian or Ubuntu Linux system. Both /sbin/nologin and /bin/false are binary file. Don’t softlink them with shell/perl script.

    usermod -s /bin/false tom

  • max Nov 18, 2006 @ 6:25

    Zach,
    to deny non-root logins, simply ‘touch /etc/nologin’

  • R_Smith Apr 7, 2007 @ 16:41

    Hello,

    I have CentOS on dedicated server with Cpanel/WHM installed.

    I want more people to have access to Cpanel, but to disable main ftp domain access because if they FTP with the cpanel user/pass they will be able to access the folder MAIL.

    What I did so far: I chaged the Cpanel/username password by: ssh passwd , this way the FTP password remained as the old one. This was a solution, because people were not able to use FTP with the Cpanel password. However, in 24h the FTP password was automatically synchonized with the Cpanel password – it became the same as cpanel password.

    1. How to disable main domain ftp access for Cpanel user?
    2. Maybe there is a way to disable automatic ftp password synchronization?

    Thanks in advance!!!

  • 🐧 nixCraft Apr 7, 2007 @ 18:17

    You can use ‘FTP Manager’ to disable or enable FTP user.

  • R_Smith Apr 8, 2007 @ 0:17

    I was thinking about the main ftp account, that has access in the direcory that is one level up from public_html. There is no option in Cpanel to change this ftp account password.

  • nagendra rao Apr 16, 2007 @ 7:25

    i got one proble in sftp. how to blck sft service to a particular user

  • ruben Jun 18, 2010 @ 15:18

    excelent!
    this info helped me !

  • Guan Sep 22, 2010 @ 13:57

    Use a nologin/false shell is a quick solution to disable login completely. However, there are needs to only allow login from certain location, say only locally. Linux-PAM would allow a much finer grain login control. Check out ‘man access.conf’. It is pretty useful when you have very specific login restrictions.

  • jason Jan 10, 2011 @ 9:32

    I need a fix like this, that still allows the user to access vsftpd. I’ve looked around and it looks like installing some kind of secure shell is my only option. I’m hoping you may know a way that’s as easy as this modification. Thanks in advance.

    • Chris Sep 22, 2011 @ 9:27

      @jason,

      Make sure that this line is present in your /etc/pam.d/vsftpd:

      auth required pam_shells.so

      This will force users to have a valid shell to log in.
      If you set a users shell to /bin/false or /sbin/nologin then FTP logins will not be allowed also.

      Regards,
      Chris

  • suresh Sep 24, 2012 @ 10:43

    what is the server errors code?
    i need some error codes?

  • rubence Apr 26, 2014 @ 1:53

    need gdm/kdm/xdm (graphical) login for user but still he wont login via shell .. is it possible ?

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.