How to Disable Shell Access to User Account in Linux

By default when creating a user account in Linux, the user will explicitly have SSH access. There are situations where user accounts don't need shell access to FTP, mails, or ssh.

In this tutorial let learn how to disable shell access for existing Linux user or create a new user with no shell access.

Create a new user with no shell access

By default when creating a user account, a shell is assigned to the user as define in the /etc/default/useradd file.

While creating a user account you can explicitly specify shell which user should login.

Linux comes with a /sbin/nologin shell which displays a message 'This account is currently not available', when a user attempt to connect. This is one way to disable the user from access the login shell.

Lets check two command to create a user with a disabled shell.

Using useradd:

Syntax:

useradd -s /sbin/nologin {username}

Using adduser:

Syntax:

adduser --shell /sbin/nologin {username}

Disable Shell for an existing user

To change shell for the existing user use chsh or usermod command.

Using chsh:

Syntax:

chsh -s /sbin/nologin {username}

To change shell to nologin for the user named bob, type:

$ sudo chsh -s /sbin/nologin bob

Using usermod:

Syntax:

usermod {username} -s {shell path}

To change shell to /sbin/ftpnologin for the user named bob, type:

$ sudo usermod bob -s /sbin/ftpnologin

You can customize the shell to show message when users login via ftp.

cat /sbin/ftpnologin
!/bin/sh
 No shell access. Only FTP access allowed.

To give executable permission, type:

$ sudo chmod a+x /sbin/ftpnologin

All shells are available in /etc/shell, append new shell to this list:

$ echo "/sbin/ftpnologin" | sudo tee -a /etc/shells

Instead of doing the above methods, you can manually change the shell by editing /etc/password file, that will also work.

Conclusion

In this tutorial, we learned how to disabled a user account from access to the default shell. Thanks for reading.

Leave a Comment