Skip to main content

Locking and Disabling User Accounts in Linux

Locking and Disabling User Accounts in Linux


1. Locking the user account
To lock a user account use the command usermod -L or passwd -l. Both the commands adds an exclamation mark (“!”) in the second field of the file /etc/shadow.It has to be executed by either bob/privilaged user.
It will deny any access which would be done directly using su or with ssh.

# usermod -L bob
or

 
# passwd -l bob

Verify if the user account is locked.
Check for the flag *LK* in the below command output which indicates that the account is locked.

# passwd --status bob
bob *LK* 2020-05-01 0 45 7 -1 (Password set, SHA512 crypt.)

Try to Login

[himanshu@lcfs ~]$ su - bob
Password: 
su: Authentication failure

But with SSH key still connecting

[himanshu@lcfs ~]$ ssh bob@lcfs.lab
Welcome to Himanshu's Server Remote Login!
Last failed login: Fri May 15 17:52:08 IST 2020 on pts/1
There was 1 failed login attempt since the last successful login.
Last login: Fri May 15 17:51:07 2020 from lcfs.lab


2. Expiring the user account

The problem with above menthod is that if ssh password less key setup is done, then the user can still login via ssh using the keys.


# chage -E0 bob
Expiring an account via use of the 8th field in /etc/shadow (using “chage -E”) will block all access methods that use PAM to authenticate a user.


Verify if the account has been expired.


# chage -l bob
Last password change                                    : Apr 17, 2020
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : Jan 01, 1970
Minimum number of days between password change          : 0
Maximum number of days between password change          : 999999
Number of days of warning before password expires       : 7


Try Login

[himanshu@lcfs ~]$ ssh bob@lcfs.lab
Welcome to Himanshu's Server Remote Login!
Your account has expired; please contact your system administrator
Authentication failed.

So normally I prefer to lock and expire the user account both for better security.

3. Changing the shell to no login
We can also change the default shell of the user to /sbin/nologin so that the user do not get any login shell when he tries to login into the system.

# usermod -s /sbin/nologin bob
You can check for the 7th and last field in /etc/passwd for the change of shell to /sbin/nologin.

Verify for no login shell


# grep ^bob /etc/passwd
bob:x:1001:1001:bob:/bob:/sbin/nologin
Labels:

Comments

Post a Comment

Popular posts from this blog

WebLogic migration to OCI using WDT tool

WebLogic migration to OCI using WDT tool Oracle WebLogic Deploy Tool (WDT) is an open-source project designed to simplify and streamline the management of Oracle WebLogic Server domains. With WDT, you can export configuration and application files from one WebLogic Server domain and import them into another, making it a highly effective tool for tasks like migrating on-premises WebLogic configurations to Oracle Cloud. This blog outlines a detailed step-by-step process for using WDT to migrate WebLogic resources and configurations. Supported WLS versions Why Use WDT for Migration? When moving Oracle WebLogic resources from an on-premises environment to Oracle Cloud (or another WebLogic Server), WDT provides an efficient and reliable approach to: Discover and export domain configurations and application binaries. Create reusable models and archives for deployment in a target domain. Key Pre-Requisites Source System: An Oracle WebLogic Server with pre-configured resources such as: Applica...
Post a Comment
Read more

How to Validate TDE Wallet Password in Oracle Database

How to Validate TDE Wallet Password in Oracle Database Validating the Transparent Data Encryption (TDE) wallet password is crucial, especially when ensuring that the password is correct without using the OPEN or CLOSE commands in the database. This blog post explains a straightforward method to validate the TDE password using the mkstore utility. Steps to Validate TDE Wallet Password Follow these steps to validate the TDE wallet password: Step 1: Copy the Keystore/Wallet File Navigate to your existing TDE wallet directory. Copy only the ewallet.p12 file to a new directory. If a cwallet.sso file exists, do not copy it . The absence of cwallet.sso ensures that the wallet does not use auto-login, forcing the utility to prompt for the password. Step 2: Validate Using mkstore Use the mkstore utility to check the contents of the wallet file. The mkstore utility will prompt you for the TDE wallet password, allowing you to validate its correctness. Command Syntax To display the conten...
Post a Comment
Read more

Rename a PDB in Oracle Database Multitenant Architecture in TDE and Non TDE Environment

Rename a PDB in Oracle Database Multitenant Architecture I am sharing a step-by-step guide to help you rename a PDB. This approach uses SQL commands. Without TDE or encryption Wallet Initial Check Check the Current Database Name and Open Mode: SQL > SELECT NAME, OPEN_MODE FROM V$DATABASE; NAME OPEN_MODE --------- -------------------- BEECDB READ WRITE List Current PDBs: SQL > SHOW PDBS; CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 3 FUAT READ WRITE NO We need to RENAME FUAT to BEE  Steps to Rename the PDB Step 1: Export ORACLE_SID Set the Oracle SID to the Container Database (CDB): export ORACLE_SID=BEECDB Step 2: Verify Target PDB Name Availability If the target PDB name is different from the current PDB name, ensure no service exists with the target PDB name. Run SQL to Check Exi...
Post a Comment
Read more