How do I completely disable an account?

The correct way according to usermod(8) is:

usermod --lock --expiredate 1970-01-02 <username>

(Actually, the argument to --expiredate can be any date before the current date in the format YYYY-MM-DD.)

---

Explanation:

• --lock locks the user's password. However, login by other methods (e.g. public key) is still possible.

• --expiredate YYYY-MM-DD disables the account at the specified date. According to man shadow 5 1970-01-01 is an ambiguous value and shall not be used.

I've tested this on my machine. Neither login with password nor public key is possible after executing this command.

---

To re-enable the account at a later date you can run:

usermod --unlock --expiredate '' <username>

Lock the password and change the shell to /bin/nologin.

sudo usermod --lock --shell /bin/nologin username

(Or more concisely, sudo usermod -L -s /bin/nologin username.)

Here is another simple way. You can set the user account expired. This will prevent both password-based and ssh key-based logins for the account, but does not touch the password.

To lock the account:

# chage -E 0 username

The user account 'username' will be locked out on the system. To re-enable the user account, do the following.

To unlock the account:

# chage -E -1 username

The user account 'username' will be re-enabled on your system with the same password as before. The 'chage' binary is part of the shadow-utils package on Red Hat Linux, or the passwd package on Debian Linux.