Using `passwd -l` followed by a username disables that account’s password authentication in Linux. If you are looking for a clear, step-by-step guide on how to lock a user account in linux, you have come to the right place. Locking an account is a common sysadmin task that prevents a user from logging in, either temporarily or permanently.
This article covers multiple methods, from the simple `passwd` command to using `usermod` and editing system files. You will learn the pros and cons of each approach, plus how to unlock an account when needed. Let’s get started.
How To Lock A User Account In Linux
There are several ways to lock a user account in Linux. The method you choose depends on your specific needs, such as whether you want to disable password login only or prevent all forms of access. Below we break down each technique with clear commands and examples.
Method 1: Using Passwd -L To Lock The Account
The most straightforward way to lock a user account is with the `passwd -l` command. This command adds an exclamation mark (!) to the beginning of the user’s password hash in the `/etc/shadow` file, effectively disabling password-based authentication.
Here is how to do it:
- Open a terminal or SSH into your Linux server.
- Run the command:
sudo passwd -l username - Replace “username” with the actual account name you want to lock.
For example, to lock an account called “john”, you would type:
sudo passwd -l john
The system will respond with: “Password changed.” This means the account is now locked. The user cannot log in using a password anymore.
Note: This method only locks password authentication. If the user has SSH keys configured, they may still be able to log in via SSH. We will cover that later.
Method 2: Using Usermod -L To Lock The Account
Another common method is using the `usermod` command with the `-L` option. This works similarly to `passwd -l` but is part of the user management toolset.
To lock a user account with usermod:
- Run:
sudo usermod -L username - Verify the lock by checking the shadow file:
sudo grep username /etc/shadow
You will see an exclamation mark at the start of the password hash field. That indicates the account is locked.
Both `passwd -l` and `usermod -L` achieve the same result. Choose whichever you find easier to remember.
Method 3: Locking By Expiring The Account
If you want to lock an account for a specific period or permanently, you can use the `chage` command to set an expiration date. This method is useful for temporary workers or contractors.
To expire an account immediately:
sudo chage -E 0 username
This sets the account expiration date to 0, which means it expired yesterday. The user cannot log in at all. To re-enable the account, set a future expiration date or remove the expiration:
sudo chage -E -1 username
The `-1` removes the expiration date entirely.
Method 4: Locking The Account In /Etc/Shadow Manually
For advanced users, you can manually edit the `/etc/shadow` file to lock an account. This method gives you full control but requires caution. A mistake can break user authentication.
Steps:
- Backup the shadow file:
sudo cp /etc/shadow /etc/shadow.backup - Open the file with a text editor:
sudo nano /etc/shadow - Find the line for the user you want to lock.
- Add an exclamation mark (!) at the beginning of the password hash field (the second field, between the first and second colons).
- Save and exit.
For example, a line like:
john:$6$abc123...:18000:0:99999:7:::
Becomes:
john:!$6$abc123...:18000:0:99999:7:::
This manual method is not recommended for beginners, but it is good to know.
Method 5: Locking SSH Key Access
As mentioned earlier, `passwd -l` does not block SSH key authentication. To fully lock an account, you must also disable SSH key login. Here are two ways:
- Remove the user’s SSH authorized_keys file:
sudo rm /home/username/.ssh/authorized_keys - Or, add a rule in the SSH server config to deny that user.
To deny a user in SSH config:
- Edit the SSH config file:
sudo nano /etc/ssh/sshd_config - Add a line:
DenyUsers username - Restart SSH service:
sudo systemctl restart sshd
This prevents the user from logging in via SSH entirely.
Method 6: Locking The Account With A Shell Change
Another approach is to change the user’s login shell to something that does not allow interactive sessions, like `/sbin/nologin` or `/bin/false`. This method blocks all login types, including console and SSH.
To change the shell:
sudo usermod -s /sbin/nologin username
Or:
sudo usermod -s /bin/false username
The user will see a message like “This account is currently not available.” when trying to log in. To revert, set the shell back to the default, usually `/bin/bash`.
How To Verify The Account Is Locked
After locking an account, you should verify that it worked. Here are a few ways:
- Check the shadow file:
sudo grep username /etc/shadow– look for an exclamation mark. - Try to switch to the user:
su - username– it should fail with “Authentication failure.” - Check account status with:
sudo passwd -S username– this shows “L” for locked.
The `passwd -S` command output looks like this:
username L 2023-10-01 0 99999 7 -1 (Password locked.)
The “L” means locked.
How To Unlock A User Account
Unlocking is just as easy. Use the opposite command:
- For `passwd -l`, use:
sudo passwd -u username - For `usermod -L`, use:
sudo usermod -U username - For manual shadow edit, remove the exclamation mark.
After unlocking, the user can log in with their password again.
When To Lock A User Account
Locking accounts is useful in many scenarios:
- An employee leaves the company.
- A user account is compromised.
- You want to temporarily disable access for maintenance.
- You need to enforce a security policy.
Always lock accounts instead of deleting them if there is a chance the user will return. This preserves their files and settings.
Security Considerations
Locking an account does not kill existing sessions. If a user is already logged in, they will remain active until they log out or you kill their processes. To force a logout, use:
sudo pkill -u username
Also, remember that root or sudo users can always unlock an account. So locking is not a security measure against privileged users.
Another tip: use `faillock` to automatically lock accounts after failed login attempts. This is a separate feature from manual locking.
Automating Account Locking With Scripts
If you manage many users, you can automate locking with a simple script. Here is a bash example:
#!/bin/bash
for user in user1 user2 user3; do
sudo passwd -l $user
done
Save this as `lock_users.sh`, make it executable with `chmod +x lock_users.sh`, and run it with sudo.
You can also combine locking with logging for audit purposes.
Common Mistakes To Avoid
Here are some pitfalls when locking accounts:
- Forgetting to disable SSH keys.
- Locking the root account by accident.
- Not verifying the lock after applying it.
- Using `passwd -l` on an account that already has an exclamation mark.
Always double-check your commands, especially on production systems.
Locking Vs Deleting A User Account
Locking is reversible; deleting is not. When you delete a user with `userdel -r`, their home directory and mail spool are removed. Locking keeps everything intact. For temporary situations, always lock. For permanent removal, consider backing up data first.
Locking Multiple Users At Once
To lock multiple users quickly, use a loop in the terminal:
for user in alice bob charlie; do sudo passwd -l $user; done
Or read from a file:
while read user; do sudo passwd -l $user; done < users.txt
This is efficient for bulk operations.
Using GUI Tools To Lock Accounts
If you prefer a graphical interface, some Linux distributions offer user management tools. For example, on Ubuntu, you can use "Users and Groups" from the settings menu. However, the command line is faster and more reliable for servers.
Locking Accounts In A Docker Container
Inside a Docker container, the same commands work. But note that containers often run as root, so locking accounts may not be necessary. If you do need to lock a user inside a container, use `passwd -l` as usual.
Locking Accounts In A Virtual Environment
For virtual machines or cloud instances, locking accounts follows the same steps. Just ensure you have sudo access or root privileges.
Frequently Asked Questions
What is the difference between passwd -l and usermod -L?
Both commands do the same thing: they add an exclamation mark to the password hash. The choice is personal preference. Some sysadmins prefer `usermod` because it is part of the user management suite.
Can I lock a user account without sudo?
No, locking an account requires root or sudo privileges. Regular users cannot lock other accounts.
Does locking an account affect running processes?
No, existing processes continue to run. You must kill them manually if needed.
How do I lock a user account in Linux permanently?
Use `passwd -l` and also disable SSH keys. For permanent lock, consider expiring the account with `chage -E 0`.
What happens to the user's files when I lock the account?
Nothing. Files remain in the home directory. Only login access is disabled.
Conclusion
Now you know multiple ways to lock a user account in Linux. The most common method is `passwd -l`, but for full security, combine it with SSH key removal or shell change. Always verify the lock and remember to unlock when needed. Practice these commands on a test system before using them in production.
Locking accounts is a fundamental skill for any Linux administrator. It helps maintain security and control over user access. Bookmark this guide for quick reference.