Linux systems allow you to disable access to a particular user account without changing anything from the account. This might be useful if you do not want to remove user account permanently but, you just want it disabled and no longer able to use the system.
The disabled user will still receive emails for example, but he will not be able to login and check them out. Linux distributions use /etc/shadow file to store the encrypted user passwords. A user account can be temporarily disabled or permanently removed.
1) Editing /etc/shadow
You can disable or lock a user account temporarily by just putting an asterisk "*" at the beginning of the second field in the file /etc/shadow. This means that "*" won’t permit login for this account. Whenever you want to enable the account, just erase the asterisk and the user account is back in operation with its old password.
For example, you want to disable user “Tom” then you can do this as follows:
Here, the second field is the encrypted password.
You can replace the password with “*” or “!”. This will render user account inaccessible and it will mean that no login is permitted for the user.
However, the main disadvantage of this method is that the password will be lost in the case we will want to re-enable it again later.
2) Using passwd command
Passwd command can be used to disable the user account.
#passwd Tom –l
Above command changes the shadow file and adds “!” in front of the user password:
Now in case, if you want enable the account just unlock it using –u option as follows:
#passwd Tom -u
You can also enable account by removing manually the “!” character from the user’s password line in /etc/shadow.
3) Permanently remove user account
You can permanently remove the user; just run userdel command.
#userdel -r Tom
Make sure to check home of the user before running this command.
- Linux Chage Command to Set Password Aging for User
- Linux /etc/passwd and Shadow File Formats Explained