Locking and unlocking accounts on Linux systems

If you are administering a Linux system, there will likely be times that you need to lock an account. Maybe someone is changing positions and their continued need for the account is under question; maybe there’s reason to believe that access to the account has been compromised. In any event, knowing how to lock an account and how to unlock it should it be needed again is something you need to be able to do.

One important thing to keep in mind is that there are multiple ways to lock an account, and they don’t all have the same effect. If the account user is accessing an account using public/private keys instead of a password, some commands you might use to block access to an account will not be effective.

Locking an account using the passwd command

One of the simplest ways to lock an account is with the passwd -l command. For example:

$ sudo passwd -l tadpole

The effect of this command is to insert an exclamation point as the first character in the encrypted password field in the /etc/shadow file. This is enough to keep the password from working. What previously looked like this (note the first character):

$6$IC6icrWlNhndMFj6$Jj14Regv3b2EdK.8iLjSeO893fFig75f32rpWpbKPNz7g/eqeaPCnXl3iQ7RFIN0BGC0E91sghFdX2eWTe2ET0:18184:0:99999:7:::

will look like this:

!$6$IC6icrWlNhndMFj6$Jj14Regv3b2EdK.8iLjSeO893fFig75f32rpWpbKPNz7g/eqeaPCnXl3iQ7RFIN0BGC0E91sghFdX2eWTe2ET0:18184:0:99999:7:::

On his next login attempt (should there be one), tadpole would probably try his password numerous times and not gain access. You, on the other hand, would be able to check the status of his account with a command like this (-S = status):

$ sudo passwd -S tadpole
tadpole L 10/15/2019 0 99999 7 -1

The “L” in the second field tells you that the account is locked. Before the account was locked, it would have been a “P”. An “NP” would mean that no password was set.

The usermod -L command would have the same effect (inserting the exclamation character to disable use of the password).

One of the benefits of locking an account in this way is that it’s very easy to unlock the account when and if needed. Just reverse the change by removing the added exclamation point with a text editor or, better yet, by using the passwd -u command.

$ sudo passwd -u tadpole
passwd: password expiry information changed.

The problem with this approach is that, if the user is accessing his or her account with public/private keys, this change will not block their use.

Locking accounts with the chage command

Another way to lock a user account is to the the chage command that helps manage account expiration dates.

$ sudu chage -E0 tadpole
$ sudo passwd -S tadpole
tadpole P 10/15/2019 0 99999 7 -1

The chage command is going to make a subtle change to the /etc/shadow file. The eighth field in that colon-separated file (shown below) will be set to zero (previously empty) and this means the account is essentially expired. The chage command tracks the number of days between password changes, but also provides account expiration information when this option is used. A zero in the eiighth field would mean that the account expires a day after January 1, 1970, but also simply locks it when a command like that shown above is used.

$ sudo grep tadpole /etc/shadow | fold
tadpole:$6$IC6icrWlNhndMFj6$Jj14Regv3b2EdK.8iLjSeO893fFig75f32rpWpbKPNz7g/eqeaPC
nXl3iQ7RFIN0BGC0E91sghFdX2eWTe2ET0:18184:0:99999:7::0:
                                                    ^
                                                    |
                                                    +--- days until expiration

To reverse this change, you can simply remove the 0 that was placed in the /etc/shadow entry for the user with a command like this:

% sudo chage -E-1 tadpole

Once an account is expired in this way, even passwordless SSH will not provide access.