How to Disable a User in Linux

Disabling a user account in Linux means the user can no longer login to the system. However, the account will still persist on the system, which makes it different than deleting a user account entirely.

You may need to disable a user account temporarily, or disable the login capability for a system account. In this guide, you’ll learn a few different methods of disabling a user account on Linux. You’ll also see how to re-enable the account.

Disable User Account by Editing /etc/shadow

The usermod command can be used to disable, or “lock,” a user account on Linux. Supply the -L (Lock) option in your command’s syntax, as seen below.

# usermod -L testuser

In reality, executing the usermod -L command is just adding an exclamation point the beginning of the user’s encryted password, stored inside the /etc/shadow file. You can observe this change by viewing the /etc/shadow file after disabling a user account.

# cat /etc/shadow | grep testuser
testuser:!$6$Cf8K/f1kM4EIX2ut$T2u [...]

If you need to re-enable the user in the future, use the -U (Unlock) option in your usermod command.

# usermod -U testuser

Doing so will remove the exclamation point from the /etc/shadow file, and the user can now login with the same password they had before. When checking /etc/shadow again, you’ll see the exclamation mark has disappeared.

# cat /etc/shadow | grep testuser
testuser:$6$Cf8K/f1kM4EIX2ut$T2u [...]

Disable User Account With nologin or false Shells

Another way to disable a user account is to change their default login shell. Most Linux systems will have either the /sbin/nologin or /usr/sbin/nologin shells available.

Use the usermod command and -s option to change a user’s shell to /sbin/nologin.

# usermod testuser -s /sbin/nologin

After executing the command, you can view the /etc/passwd file to see that the account’s login shell has been changed.

# cat /etc/passwd | grep testuser

In the future, if someone tries to login with the user account, they’ll be directed to the /sbin/nologin shell and receive the following message:

# su testuser
This account is currently not available.

You can also change a user’s shell to the /bin/false file, which will exit as soon as the user logs in, and return exit status 0 (false). They won’t receive any kind of message like they would with /sbin/nologin. To set a user’s shell to /bin/false, use the following command.

# usermod testuser -s /bin/false

Regardless of which shell you use, either nologin or false, the end result is that the user will no longer be able to login.

To re-enable the user at a later time, change their shell back to the system’s default, which is likely Bash.

# usermod testuser -s /bin/bash

Take a look at the /etc/shells file to see a complete list of valid login shells for your system.

$ cat /etc/shells

Leave a Comment

Your email address will not be published. Required fields are marked *