Disabling a user account in Linux means the user can no longer login to the system. However, the account will still persist on the system, which makes it different than deleting a user account entirely.
You may need to disable a user account temporarily, or disable the login capability for a system account. In this guide, you’ll learn a few different methods of disabling a user account on Linux. You’ll also see how to re-enable the account.
Disable User Account by Editing /etc/shadow
The usermod command can be used to disable, or “lock,” a user account on Linux. Supply the -L (Lock) option in your command’s syntax, as seen below.
# usermod -L testuser
In reality, executing the usermod -L command is just adding an exclamation point the beginning of the user’s encryted password, stored inside the /etc/shadow file. You can observe this change by viewing the /etc/shadow file after disabling a user account.
# cat /etc/shadow | grep testuser testuser:!$6$Cf8K/f1kM4EIX2ut$T2u [...]
If you need to re-enable the user in the future, use the -U (Unlock) option in your usermod command.
# usermod -U testuser
Doing so will remove the exclamation point from the /etc/shadow file, and the user can now login with the same password they had before. When checking /etc/shadow again, you’ll see the exclamation mark has disappeared.
# cat /etc/shadow | grep testuser testuser:$6$Cf8K/f1kM4EIX2ut$T2u [...]
Disable User Account With nologin or false Shells
Another way to disable a user account is to change their default login shell. Most Linux systems will have either the /sbin/nologin or /usr/sbin/nologin shells available.
Use the usermod command and -s option to change a user’s shell to /sbin/nologin.
# usermod testuser -s /sbin/nologin
After executing the command, you can view the /etc/passwd file to see that the account’s login shell has been changed.
# cat /etc/passwd | grep testuser testuser:x:1001:1003::/home/testuser:/sbin/nologin
In the future, if someone tries to login with the user account, they’ll be directed to the /sbin/nologin shell and receive the following message:
# su testuser This account is currently not available.
You can also change a user’s shell to the /bin/false file, which will exit as soon as the user logs in, and return exit status 0 (false). They won’t receive any kind of message like they would with /sbin/nologin. To set a user’s shell to /bin/false, use the following command.
# usermod testuser -s /bin/false
Regardless of which shell you use, either nologin or false, the end result is that the user will no longer be able to login.
To re-enable the user at a later time, change their shell back to the system’s default, which is likely Bash.
# usermod testuser -s /bin/bash
Take a look at the /etc/shells file to see a complete list of valid login shells for your system.
$ cat /etc/shells