Four ways to lock & unlock a user account in Linux

If a password policy is pre-implemented in your organization, then there is no need to verify this, as locked accounts will auto-unlock according to the configuration.

However, manual unlock is needed for user accounts, if the lock period is set for longer duration.

This tutorial will show you how to manually lock and unlock user accounts in Linux.

Let’s understand the three ways to perform password lock & unlock by employing these two commands:

• passwd: Used to update user’s authentication tokens & is achieved by calling the Linux-PAM and Libuser API
• usermod: Used to modify/update (given) user’s account information & add a user to a specific group, etc.,

Let’s use the “daygeek” test user account to understand how this works:

Use the ‘id’ command to check if the given user is available in the system before locking or unlocking.

# id daygeek

uid=2240(daygeek) gid=2243(daygeek) groups=2243(daygeek),2244(ladmin)

Method-1: How to lock, unlock and check status of the user account using passwd command?

The passwd command is one of the frequently used command by Linux administrator’s to update user’s authentication tokens in the /etc/shadow file.

Run the passwd command with the -l switch, to lock the given user account.

# passwd -l daygeek

Locking password for user daygeek.
passwd: Success

You can check the locked account status either by using passwd command or filter the given user name from ‘/etc/shadow’ file.

Checking the user account locked status using passwd command.

# passwd -S daygeek
or
# passwd --status daygeek

daygeek LK 2019-05-30 7 90 7 -1 (Password locked.)

The above output will show few pieces of information about the status of the password for the given account. In our example the output is LK meaning the password is locked.

• LK: Password locked
• NP: No password
• PS: Password set

If the account is already locked, two exclamation marks will be prefixed to the user password at ‘/etc/shadow’ file.

# grep daygeek /etc/shadow

daygeek:!!$6$tGvVUhEY$PIkpI43HPaEoRrNJSRpM3H0YWOsqTqXCxtER6rak5PMaAoyQohrXNB0YoFCmAuh406n8XOvBBldvMy9trmIV00:18047:7:90:7:::

Run the passwd command with the -u switch to unlock the given user account.

# passwd -u daygeek

Unlocking password for user daygeek.
passwd: Success

Method-2: Locking & Unlocking user account with usermod command

The ‘usermod’ command is often used by Linux administrator’s to modify a given user account information. It is primarily used to add a user to a specific group.

Run the usermod command with the -L switch to lock the given user account.

# usermod --lock daygeek
or
# usermod -L daygeek

Locked user account status can be verified using passwd command or filtering the user from the ‘/etc/shadow’ file because usermod command does not have that option.

Checking the user account locked status using passwd command.

# passwd -S daygeek
or
# passwd --status daygeek

daygeek LK 2019-05-30 7 90 7 -1 (Password locked.)

Checking the user account locked status using /etc/shadow file.

# grep daygeek /etc/shadow

daygeek:!!$6$tGvVUhEY$PIkpI43HPaEoRrNJSRpM3H0YWOsqTqXCxtER6rak5PMaAoyQohrXNB0YoFCmAuh406n8XOvBBldvMy9trmIV00:18047:7:90:7:::

Run the usermod command with the -U switch to unlock the given user account.

# usermod --unlock daygeek
or
# usermod -U daygeek

Method-3: Enable and Disable SSH access for user in Linux

Alternatively, a user account can be locked by assigning the nologin shell to the given user. Once the user account is disabled, you will not be able to access the Linux system via SSH until the user account is activated. Run the below command to disable the user account.

# usermod -s /sbin/nologin daygeek

User account locked status can be verified from the ‘/etc/shadow’ file.

# grep daygeek /etc/passwd

daygeek:x:2240:2243::/home/daygeek:/sbin/nologin

We can activate the disabled user account by changing the old shell.

# usermod -s /bin/bash daygeek

Method-3(a): Changing the shell to /dev/null

‘/dev/null’ is a simple device which is implemented in software and not corresponding to any hardware device on the system.

dev/null looks empty when you read from it whereas data written to this device simply “disappear.”

User can be disabled by changing the shell to /dev/null as shown below.

# usermod -s /dev/null daygeek

It can be reversed by changing the shell back to the default shell of the user.

# usermod -s /bin/bash daygeek

Method-3(b): Changing the shell to false

‘/bin/false’ is just a binary that immediately exits, returning false, when it’s called. The user logs in and immediately sees the login prompt again.

Alternatively, User can be disabled by changing the shell to /bin/false as shown below.

# usermod -s /bin/false daygeek

It can be reversed by changing the shell back to the default shell of the user.

# usermod -s /bin/bash daygeek

Method-4: Locking & unlocking users with chage command

The ‘chage’ command is used to view and modify user password expiration information. It can be used to lock and unlock user accounts.

Set the expiration date to ‘0’ to lock user account with chage command as shown below.

# chage -E0 daygeek

When you set the expiration date to ‘0’, which means that the account expires a day after January 1, 1970. Please check the following output for details.

# chage -l daygeek
Last password change                    : Jan 07, 2021
Password expires                        : never
Password inactive                       : never
Account expires                         : Jan 02, 1970
Minimum number of days between password change        : 0
Maximum number of days between password change        : 99999
Number of days of warning before password expires     : 7

To reverse this change, run the following command.

# chage -E -1 daygeek

Conclusion

In this tutorial, you learned multiple ways to lock & unlock users account on Linux.

If you have any questions or feedback, please leave a comment below.