Disable a user's login without disabling the account

  • Let's say I create a user named "bogus" using the adduser command. How can I make sure this user will NOT be a viable login option, without disabling the account. In short, I want the account to be accessible via su - bogus, but I do not want it to be accessible via a regular login prompt.

    Searching around, it seems I need to disable that user's password, but doing passwd -d bogus didn't help. In fact, it made things worse, because I could now login to bogus without even typing a password.

    Is there a way to disable regular logins for a given a account?

    Note: Just to be clear, I know how to remove a user from the menu options of graphical login screens such as gdm, but these methods simply hide the account without actually disabling login. I'm looking for a way to disable regular login completely, text-mode included.

    Your `-d` is the flag to delete the password. That is different from disabling it (refereed to as locking, see Chad's answer).

  • Chad Feller

    Chad Feller Correct answer

    9 years ago
    passwd -l user
    

    is what you want.

    That will lock the user account. But you'll still be able to

    su - user
    

    but you'll have to su - user as root.

    Alternatively, you can accomplish the same thing by prepending a ! to the user's password in /etc/shadow (this is all passwd -l does behind the scenes). And passwd -u will undo this.

    By using the `passwd -l` option you should be aware that the user could login using another authentication token (e.g. an SSH key).

    Please see my answer below on a recommended solution on how to avoid this.

    This does not work on ubuntu 16.04. It will change the expire date and not allow su - user anymore.

    Is this same as the `--disabled-password` option given to `adduser`? Does creating a user without `--disabled-password` and then running `passwd -l` on that user achieve the same result as running `adduser` with `--disabled-password` in the first place?

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM