There are different methods of locking a user account in Linux. Each method is explained below.
Editing the /etc/passwd file by hand
This is the crudest form of disabling a user account in Linux.
Open a terminal and run the following command.
This command will open the /etc/passwd file in your default editor which is usually Vi if you haven't explicitly set the EDITOR variable.
My /etc/passwd file is as shown below (truncated for brevity).
#FILE: /etc/passwd ... ravi:x:500:500:Ravi Kumar:/home/ravi:/bin/bash ...
To disable a user's account - for example user 'ravi' - replace shell '/bin/bash' with '/sbin/nologin'.
#FILE: /etc/passwd ... ravi:x:500:500:Ravi Kumar:/home/ravi:/bin/nologin ...
Now save and close the file.
Alternately, you can also enter a '!' (bang) or '*' (asterisk) just before the 'x' in the second field as shown below.
#FILE: /etc/passwd ... ravi:*x:500:500:Ravi Kumar:/home/ravi:/bin/bash ...
Save and exit the file.
A disabled user can still login through the network using SSH which is the vulnerability of the above method.
Use chage command
The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.
The trick to disabling a user account in Linux using chage is to set the expiry of the user account to a date previous to the current one.
So for example, if today's date is October 13 2005, you can lock a user account by setting the expiry date to October 12 2005 or earlier.
# chage -E 2005-10-01 ravi
... where the date is in YYYY-MM-DD format.
You can re-enable the user's account by running the same command but changing the date to a value more recent than the current date.
Use the passwd command
This is by far the easiest way of locking or disabling a user account in Linux. To lock a user account, open a terminal and enter the following command.
# passwd -l <username>
Continuing with our previous example to lock out the user 'ravi', do the following as root / superuser.
# passwd -l ravi
And to unlock the account,
# passwd -u ravi
Check the logs for failed logins
All failed logins will be audited and logged to the file /var/log/faillog. To see who all have unsuccessfully tried to login to their account, try the following:
# faillog -a
The above command will read the /var/log/faillog file for any failed login attempts by users. It contains a history of all failed login details. This file is used when you use PAM (Pluggable Authentication Modules) for enforcing password policies.
You can change the default password policies by editing the file '/etc/login.defs'. But any changes will be applicable to only to those user accounts created after the modification of the file.