Often times as a linux administrator, we are progmatically tasked with adding and removing users, without manually editing the ‘/etc/password’ file. . These tasks are pretty common, but sometimes we are also asked to lock or disable a users login, but leave their account and home directory/file in place or frozen. I have found that using the command ‘passwd -l [username]’ often does the trick.
The ‘passwd -l [username]’ command disables the users ability to login by placing a character in front of the hashed password, while the ‘passwd -u [username]’ unlocks the users login ability.
The administrator will still be able to su to the account by issuing the command ‘su – [username]’ to bring up the disabled users environment and access/control the users home directory and file structure. As a security measure, the ability to su to a disabled account is only permissable as the root user.
Another wrinkle to the ability to disable a users login ability is the ‘passwd -l [username]’ command doesn’t work the same on Centos 7 as ot does on Centos 6. It is advisable to utilize the ‘usermod –lock –expiredate 2000-01-01 [username]’ command on Centos 7. To unlock the account use the following command ‘usermod –unlock –expiredate ” [username]’ If you want to set the expiration date to the Jan 1 1970, use ‘usermod –expiredate 0 [username]’.
Another way on Centos7 is to use the ‘chage’ command. By issuing ‘chage -E 0 [username], [username] will be locked out of the system. ‘chage -E -1 [username] will remove the user’s expiration date completely.