There are times when locking a Linux user account is necessary and times when you need to reverse that action. Here are commands for managing account access and what's behind them. Credit: SQBack / Getty Images If you are administering a Linux system, there will likely be times that you need to lock an account. Maybe someone is changing positions and their continued need for the account is under question; maybe there’s reason to believe that access to the account has been compromised. In any event, knowing how to lock an account and how to unlock it should it be needed again is something you need to be able to do. One important thing to keep in mind is that there are multiple ways to lock an account, and they don’t all have the same effect. If the account user is accessing an account using public/private keys instead of a password, some commands you might use to block access to an account will not be effective. Locking an account using the passwd command One of the simplest ways to lock an account is with the passwd -l command. For example: $ sudo passwd -l tadpole The effect of this command is to insert an exclamation point as the first character in the encrypted password field in the /etc/shadow file. This is enough to keep the password from working. What previously looked like this (note the first character): $6$IC6icrWlNhndMFj6$Jj14Regv3b2EdK.8iLjSeO893fFig75f32rpWpbKPNz7g/eqeaPCnXl3iQ7RFIN0BGC0E91sghFdX2eWTe2ET0:18184:0:99999:7::: will look like this: !$6$IC6icrWlNhndMFj6$Jj14Regv3b2EdK.8iLjSeO893fFig75f32rpWpbKPNz7g/eqeaPCnXl3iQ7RFIN0BGC0E91sghFdX2eWTe2ET0:18184:0:99999:7::: On his next login attempt (should there be one), tadpole would probably try his password numerous times and not gain access. You, on the other hand, would be able to check the status of his account with a command like this (-S = status): $ sudo passwd -S tadpole tadpole L 10/15/2019 0 99999 7 -1 The “L” in the second field tells you that the account is locked. Before the account was locked, it would have been a “P”. An “NP” would mean that no password was set. The usermod -L command would have the same effect (inserting the exclamation character to disable use of the password). One of the benefits of locking an account in this way is that it’s very easy to unlock the account when and if needed. Just reverse the change by removing the added exclamation point with a text editor or, better yet, by using the passwd -u command. $ sudo passwd -u tadpole passwd: password expiry information changed. The problem with this approach is that, if the user is accessing his or her account with public/private keys, this change will not block their use. Locking accounts with the chage command Another way to lock a user account is to the the chage command that helps manage account expiration dates. $ sudu chage -E0 tadpole $ sudo passwd -S tadpole tadpole P 10/15/2019 0 99999 7 -1 The chage command is going to make a subtle change to the /etc/shadow file. The eighth field in that colon-separated file (shown below) will be set to zero (previously empty) and this means the account is essentially expired. The chage command tracks the number of days between password changes, but also provides account expiration information when this option is used. A zero in the eiighth field would mean that the account expires a day after January 1, 1970, but also simply locks it when a command like that shown above is used. $ sudo grep tadpole /etc/shadow | fold tadpole:$6$IC6icrWlNhndMFj6$Jj14Regv3b2EdK.8iLjSeO893fFig75f32rpWpbKPNz7g/eqeaPC nXl3iQ7RFIN0BGC0E91sghFdX2eWTe2ET0:18184:0:99999:7::0: ^ | +--- days until expiration To reverse this change, you can simply remove the 0 that was placed in the /etc/shadow entry for the user with a command like this: % sudo chage -E-1 tadpole Once an account is expired in this way, even passwordless SSH will not provide access. Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to The logic of && and || on Linux These AND and OR equivalents can be used in scripts to determine next actions. By Sandra Henry-Stocker May 02, 2024 4 mins Linux how-to Using the apropos command on Linux By Sandra Henry-Stocker Apr 24, 2024 3 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe