Skip to Content

3 Ways to Lock a User Account in Linux

In this blog post, we will discuss three different ways that you can lock a user account in Linux. Locking user accounts is an important security measure that can help protect your system from unauthorized access. Each of the methods that we will discuss are effective and easy to use. Let’s get started!

Methods to lock a user account in Linux

  • Method 1: Lock the account with passwd command
  • Method 2: Lock the account using the usermod command
  • Method 3: Expire the password and Disable access with the chage command

 

understanding /etc/shadow file in Linux

The /etc/shadow file is a file that contains information about user accounts in Linux. It includes the encrypted password for each user account and also includes other information such as the user’s account name and the date when the password will expire.

The /etc/shadow file is only accessible by the root user.

Example of /etc/shadow file

The /etc/shadow file contains the following information for the user account test:

test:$6$3Ih/yZCRYECVIc6e$.xxx.fbw82oq18i.:19257:7:60:7:30:19297:

The first column of the /etc/shadow file lists the user’s account name. The second column lists the user’s encrypted password.

After the user is locked, one exclamation mark (!) will be added to the encrypted password.

Example:

test:!$6$3Ih/yZCRYECVIc6e$.xxx.fbw82oq18i.:19257:7:60:7:30:19297:

Once a user account has been locked in Linux, the user will be unable to log in to the system. The user’s password will no longer work and the user will be unable to access any of their files or folders.

Related: 2 ways to check user password expiration date in Linux

Procedure to lock a user account in Linux

  1. Open the terminal.
  2. switch to the root account with su – or sudo su – command
  3. Type passwd -l username and press Enter. Replace username with the actual username of the user you want to lock the account for. The output will show that the user has been locked.
  4. Type passwd -S username and press enter. This command can check the user status. If the output shows that the user is locked, it means the account has been successfully locked.

 

Lock a User Account with passwd command in Linux

You can lock a user account in Linux by using the passwd -l command. This command will lock the specified user account. The user will not be able to login until the account is unlocked. Only the root account can lock a user with this method.

Note that the account is not fully locked – the user can still log in by other means of authentication such as the ssh public key authentication. Use chage -E 0 user command instead for full account locking.

you would use the following command:

passwd -l username

# passwd -l test
Locking password for user test
passwd: Success

The passwd -S command can be used to check the status of a user account. This command will return one of the following statuses:

  • LK: locked password
  • NP: no password
  • PS: password set

 

Example:
# passwd -S test
test LK 2022-09-22 7 60 7 30 (Password locked.)

passwd -S command will output a short information about the status of the password for a given account. The status information consists of 7 fields.

The first field is the user’s login name. The second field indicates if the user account has a locked password (LK), has no password (NP), or has a usable password (PS). The third field gives the date of the last password change.

The next four fields are the minimum age, maximum age, warn‐ing period, and inactivity period for the password. These ages are expressed in days.

To unlock the account, you can use the following command:

passwd -u username

Example:
passwd -u test
Unlocking password for user test.
passwd: Success

The passwd command has a number of other useful options that you can use to manage user accounts. Here are a few of the most common options:

  • -l: This option locks the user account.
  • -u: This option unlocks the user account.
  •  -d: This is a quick way to delete a password for an account. It will set the named account passwordless. Available to root only.
  • -e, –expire : This is a quick way to expire a password for an account. The user will be forced to change the password during the next login attempt.  Available to root only.

 

Lock a User Account with usermod command in Linux

The second method that you can use to lock a user account is by using the usermod command. This command can be used to modify various aspects of a user account, including the ability to login. To lock a user account with this method, you would use the following command:

usermod -L username

This command will also lock the specified user account. The user will not be able to login until the account is unlocked.

To unlock the account, you can use the following command:

usermod -U username

 This command will unlock the specified user account. The user will be able to login again after this command is run.

Some of the other things that you can do with the usermod command:

 

Lock a User Account with chage command in Linux

The third and final method that we will discuss for locking a user account is by using the chage command. This chage command can be used to modify the password aging information for a user account. To lock a user account with this method, you would use the following command:

chage -E 0 username

This command will set the account expiration date for the specified user account to 0. This effectively locks the account because the user will not be able to login without a valid password.

# chage -l test
Last password change : Sep 22, 2022
Password expires : Nov 21, 2022
Password inactive : Dec 21, 2022
Account expires : Jan 01, 1970
Minimum number of days between password change : 7
Maximum number of days between password change : 60
Number of days of warning before password expires : 7

We will see the following error when we try to log in the server with this account.

Your account has expired; please contact your system administrator

We can unlock this user by changing the account expiration date with the following command.

chage -E 2022-11-1 username

# chage -l test
Last password change : Sep 22, 2022
Password expires : Nov 21, 2022
Password inactive : Dec 21, 2022
Account expires : Nov 01, 2022
Minimum number of days between password change : 7
Maximum number of days between password change : 60
Number of days of warning before password expires : 7

The chage command is used to modify the password aging information for a user account. This can be useful for locking a user account if you want to prevent them from logging in. To unlock the account, you can use the following command:

chage -E -1 username

This command will remove the account expiration date for the specified user.

# chage -E -1 test
[root@howtouselinux ~]# chage -l test
Last password change : Jul 07, 2022
Password expires : Sep 05, 2022
Password inactive : Oct 05, 2022
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 60
Number of days of warning before password expires : 7

There are a number of other options that you can use with the chage command. For more information, you can consult the man page for this command.

These are just a few of the ways that you can lock a user account in Linux. Locking user accounts is a necessary part of account management, and it is something that you should be familiar with.

Try out these methods on your own system to get a better understanding of how they work. And, as always, if you have any questions, feel free to leave a comment below and we will do our best to answer them.

Daniel Li

Wednesday 18th of October 2023

Good job. It is very clear and to the point. Thanks a lot.