Disable a user's login without disabling the account
Let's say I create a user named "bogus" using the
addusercommand. How can I make sure this user will NOT be a viable login option, without disabling the account. In short, I want the account to be accessible via
su - bogus, but I do not want it to be accessible via a regular login prompt.
Searching around, it seems I need to disable that user's password, but doing
passwd -d bogusdidn't help. In fact, it made things worse, because I could now login to bogus without even typing a password.
Is there a way to disable regular logins for a given a account?
Note: Just to be clear, I know how to remove a user from the menu options of graphical login screens such as gdm, but these methods simply hide the account without actually disabling login. I'm looking for a way to disable regular login completely, text-mode included.
Your `-d` is the flag to delete the password. That is different from disabling it (refereed to as locking, see Chad's answer).
You probably want to completely disable them: https://unix.stackexchange.com/questions/7690/how-do-i-completely-disable-an-account Also see this Ask Ubuntu question: https://askubuntu.com/questions/282806/how-to-enable-or-disable-a-user
passwd -l user
is what you want.
That will lock the user account. But you'll still be able to
su - user
but you'll have to
su - useras root.
Alternatively, you can accomplish the same thing by prepending a
!to the user's password in
/etc/shadow(this is all
passwd -ldoes behind the scenes). And
passwd -uwill undo this.
By using the `passwd -l` option you should be aware that the user could login using another authentication token (e.g. an SSH key).
Please see my answer below on a recommended solution on how to avoid this.
This does not work on ubuntu 16.04. It will change the expire date and not allow su - user anymore.