Thursday, 13 October 2005

Different ways of locking a user's account in Linux

You can disable a user's account in the following different ways:

First Method
Open /etc/passwd file and find the line containing the user's name.
# vi /etc/passwd

Or if you are on a system used by lots of people, there is a very secure form of opening the /etc/passwd file for editing :
# vipw
... which also opens the /etc/passwd file for editing in the vi editor - but in a more secure manner.
#FILE: /etc/passwd
...
ravi:x:500:500:Ravi Kumar:/home/ravi:/bin/bash
...
Now change the shell /bin/bash to /sbin/nologin .

#FILE: /etc/passwd
...
ravi:x:500:500:Ravi Kumar:/home/ravi:/sbin/nologin
...
Save and exit the file.

Second Method
Enter /etc/passwd file and move to the line containing the user's name. Now enter a '!' (bang) or '*' (asterisk) just before the 'x' in the second field. Save and exit the file.
Note: The fields in the file /etc/passwd are separated by ':' (colons) .

#FILE: /etc/passwd
...
ravi:*x:500:500:Ravi Kumar:/home/ravi:/bin/bash
...
Note: If you are not using shadow passwords (highly unlikely), you will have the password in encrypted format in the second field instead of an x. Unlocking the account is the reverse of what you did above.
Important: One guy told me that if you use the above method, a disabled user can login through the network using SSH. I have not checked it out though.

Third Method
You can use the command chage to lock a user's account. You do this by changing the expiry date to any date before the current date.

# chage -E 2005-10-01 ravi

The above command will set the expiry date of ravi's account to 'Oct 1st 2005' which is a previous date. So when the next time ravi tries to login to his account, he will get the message that his account is disabled.
Note: For chage to work, you should be using shadow passwords (most distros use this by default). You can re-enable the user's account by running the same command but changing the date to a value greater than the current date.

Fourth Method
Execute the following command:
# passwd -l ravi
This will lock ravi's account. Now to unlock the account, do:
# passwd -u ravi

Check the logs
All failed logins will be audited and logged to the file /var/log/messages. To see who all have unsuccessfully tried to login to their account, try the following:

# grep "FAILED LOGIN" /var/log/messages

Also if you have a file called /var/log/faillog check that out too. It contains a history of all failed login details. This file is used when you use PAM (Pluggable Authentication Modules) for enforcing password policies.

You can change the default password policies by editing the file /etc/login.defs . But any changes will be applicable to only to those user accounts created after the modification of the file.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)