Three ways to Lock and Unlock accounts on Linux Systems.


Method #1: Lock, check, and unlock the status of the user account using passwd command.

One of the simplest ways to lock an account is with the passwd command with the -l option, to lock a given user account.

$ sudo passwd -l snubmonkey
 passwd: password expiry information changed.

You can check the locked account status either by using passwd command or filter the given username from /etc/shadowa file.

Let's check the user account locked status using passwd command.

$ sudo passwd -S snubmonkey
or 
$ sudo passwd --status snubmonkey

snubmonkey L 02/22/2021 0 99999 7 -1

The above output will show a few pieces of information about the status of the password for the given account. In our example the output is L meaning the password is locked.

  • L: Password locked
  • NP: No password
  • P: Password set

let's now check the user account locked status by filtering the given username from /etc/shadow file.
The effect of this command is to insert an exclamation (!) point as the first character in the encrypted password field in the /etc/shadow file. This is enough to keep the password from working.

$ sudo grep snubmonkey /etc/shadow
snubmonkey:!$6$d9QhT5wUOCyUrNR5$dTXCCfS1CCWIdgf0CDZtgn.rmHT6RADvYnqZdMSNXBJ9Ko/GZA6bUHz19A52N6PqCdgf27ZWbyc49YNBiGpBK0:18680:0:99999:7:::

Of course, you can also do this manually, and it will have the same effect. We do not recommend it though.

Now, let's reverse the effect by running the passwd command with the -u option to unlock a given user account.

sudo passwd -u snubmonkey
passwd: password expiry information changed.

Method #2: Locking & unlocking user account with usermod command.

The usermod is used to modify or change any attributes of an already created user account via command line. It is primarily used to add a user to a specific group.

Let's run the usermod command with the -L option to lock a given user account.

$ sudo usermod -L snubmonkey
or 
$ sudo usermod --lock snubmonkey

Again, locked user account status can be verified using passwd -S command or filtering the user from the ‘/etc/shadow’ file since usermod command does not have that option.

Checking the user account locked status using passwd command.

$ sudo passwd -S snubmonkey
or 
$ sudo passwd --status snubmonkey

snubmonkey L 02/22/2021 0 99999 7 -1

Checking the user account locked status using /etc/shadow file.

$ sudo grep snubmonkey /etc/shadow
snubmonkey:!$6$d9QhT5wUOCyUrNR5$dTXCCfS1CCWIdgf0CDZtgn.rmHT6RADvYnqZdMSNXBJ9Ko/GZA6bUHz19A52N6PqCdgf27ZWbyc49YNBiGpBK0:18680:0:99999:7:::

Let's run the usermod command with the -U option to re-enables the password by changing the password back to its previous value.

$ usermod --unlock snubmonkey
or
$ usermod -U snubmonkey

That's it!!!

Method #3: Changing the shell to nologin.


Naturally, one way of locking out a user is to not even let that user log in, in the first place right. Thus, the shell of that user can be changed to the nologin shell, once the user account is disabled, he/she will not be able to access the Linux system via SSH until the user account is activated.

$ sudo usermod -s /usr/sbin/nologin snubmonkey

User account locked status can be verified from the /etc/shadow file.

$ sudo grep snubmonkey /etc/passwd
snubmonkey:x:1001:1004::/home/snubmonkey/:/usr/sbin/nologin

Now, let's try to su into user snubmonkey.

su snubmonkey
Password:
This account is currently not available.

The above message indicates that the user is not allowed to log in.

*little bonus: Changing the shell to false


There is also the option of changing the shell to false, which unlike nologin (which displays a message), just logs the user back out whenever the user tries to log in.
It’s a bit extreme, but also useful.

sudo usermod -s /usr/sbin/false snubmonkey
sudo grep snubmonkey /etc/passwd
snubmonkey:x:1001:1004::/home/snubmonkey/:/usr/sbin/false

Again, let's try to su into user snubmonkey with the shell set to false.

su monkey
Password:
su: failed to execute /usr/sbin/false: No such file or directory

Reversal

We can activate the disabled user account by changing the old shell to its original.

$ sudo usermod -s /bin/zsh snubmonkey

and voilà, you are all set!