Disable a user's login without disabling the account
passwd -l user
is what you want.
That will lock the user account. But you'll still be able to
su - user
but you'll have to su - user as root.
Alternatively, you can accomplish the same thing by prepending a ! to the user's password in /etc/shadow (this is all passwd -l does behind the scenes). And passwd -u will undo this.
The man page of passwd(1) says about passwd -l:
Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).
So
usermod --expiredate 1 [LOGIN]
seems to me like the right way to disable an account a user should not be able to use anymore (e.g. because he left the company).
There are two methods to prevent a user from being able to login:
- you can lock the user by editing
/etc/passwd - by directly issuing the
passwdcommand with the-lswitch
In the second case the user can login using another authentication token (e.g. an SSH key).
Method #1
- Find where is nologin: /bin/nologin or /bin/sbin/nologin
- Open a terminal and login as root
- Type
vi /etc/passwd
Now you are in passwd file press Ins to edit the file.
Change the below line with the nologin option (/bin/bash means the user is able to login).
root:x:0:0:root:/root:/bin/bashto this. nologin means the user is unable to login.
root:x:0:0:root:/root:/bin/nologin(or with /bin/sbin/nologin)
- Close the vi Esc :wq
Method #2
To lock user: passwd -l username
To unlock user: passwd -u username