disabling user accounts

There are several ways to disable a user account, either temporarily or permanently, with or without the ability to restore the account as it was. Basically they amount to changing either the password or the shell, that is, changing those fields in the /etc/shadow and /etc/passwd files respectively.

The exercise to perform

Create two fresh users

useradd jack
passwd jill

Look at the resulting passwords. They're in the 2nd field in the new records at the bottom of the shadow file:

tail  /etc/shadow

In a different virtual terminal, (crtl-alt-F?) try to log in as jack and/or jill.

Disabling by manipulating the user's password

Now create the password "hello" for jill:

passwd  jill

In the other virtual terminal, test that you can now log in as jill. Using an editor, copy the contents of jill's password field into jack's. Remove whatever may have been in jack's password field till now. No test that you can log in as jack, using the same password as jill ("hello").

Let's change jack's password to "goodbye" by replacing his /etc/shadow password field accordingly. Accordingly?? What should the hashed/scrambled version of "goodbye" be? That's what the field requires. Run this command interactively, supplying "goodbye" as password.

grub-md5-crypt

It will produce and display the hashed version of the password. Edit this into jack's password field then check he can log in with password "goodbye".

So, disabling a user account could be done by simply disturbing the content of the password field. Any change you made there would change the password the user must supply, and render the password that the user knows inoperative and useless. The passwd command can do this for you.

passwd  -l  jack

Now look at jack's password field.

passwd  -u  jack

Now look again. -l and -u stand for lock and unlock. Because "locking" just inserts one character, it leaves the door open to reversal. Just remove the single extra character you introduced. (If you totally deleted the old password, you could not administratively restore the old password.)

Disabling by manipulating the user's called shell

Another way to disable an account is to replace "/bin/bash" as the user's shell with some other program that does little or nothing and just quits. There will be no command prompt (that's a creature of bash-- no bash, no prompt). Two such programs are /bin/false, which just quits without doing anything. And /sbin/nologin which quits after printing an advisory message. To see the behavior, run both as normal commands at the prompt:

false
nologin

Now edit /etc/passwd, replacing the final field in jack's record with "/bin/false" and jill's record with "/sbin/nologin". Use the usermod command, which will do it for you automatically:

usermod  -s  /bin/false  jack
usermod  -s  /sbin/nologin  jill
tail  /etc/passwd
su  jack
su  jill

(The user's shell is invoked when you run su, so that's another way to test it, in addition to logging in directly at a virtual terminal.)

Clean up:

userdel  -r  jack
userdel  -r  jill