How to Restrict Login Capabilities for Users in Ubuntu

Introduction

Managing user access and privileges is a critical aspect of system administration. On Ubuntu, administrators have various methods to control user logins, ensuring better security and operational integrity. This guide focuses on methods like modifying system files and utilizing specific commands for restricting user logins in Ubuntu.

Restricting Access Using /etc/passwd

One commonly used method involves modifying the /etc/passwd file. The file contains user account information, including the shell a user logs into. To restrict a user, their shell can be set to /usr/sbin/nologin. Here’s how to check and update the shell for a user:

				
					less /etc/passwd | grep username

For example, the entry might appear as follows:

				
					username:x:1001:1001::/home/username:/usr/sbin/nologin

When the shell is set to /usr/sbin/nologin, the user cannot log in. Attempting to switch to this user results in:

				
					sudo su username
# Output: This account is currently not available.

Restricting Access Using /etc/shadow

The /etc/shadow file stores encrypted password information for user accounts. To prevent a user from logging in, their password field can be set to * or !. This disables password authentication, effectively blocking access.

				
					sudo usermod -L username

To verify, use:

				
					grep username /etc/shadow

The output will reflect the locked password field.

Utilizing /etc/nologin

Another effective method involves creating a /etc/nologin file. When this file exists, only root users can log in. Non-root users attempting to log in receive the message specified in the /etc/nologin file (if any).

To implement:

				
					sudo touch /etc/nologin
echo "System maintenance in progress." | sudo tee /etc/nologin

Remove the file to restore regular login capabilities:

				
					sudo rm /etc/nologin

What is the purpose of /usr/sbin/nologin?

It prevents a user from logging into the system while still allowing them access to services like FTP or mail.

How do I re-enable login for a user locked with /etc/shadow?

Use the command sudo passwd -u username to unlock the user’s account.

Is it safe to directly edit /etc/passwd or /etc/shadow?

Editing these files requires caution. Use dedicated commands like usermod or passwd for safety.

Can the /etc/nologin file block root users?

No, the file only restricts non-root users. Root can always log in regardless of this file’s presence.

How do I log out all users for system maintenance?

You can use commands like wall to broadcast messages and then pkill -u username to log out users.

How to Change my Photo from Admin Dashboard?

Far far away, behind the word mountains, far from the countries Vokalia and Consonantia, there live the blind texts. Separated they live in Bookmarksgrove right at the coast

Is there a way to temporarily restrict all logins without modifying individual accounts?

Yes, the /etc/nologin file is ideal for this purpose.
case studies

See More Case Studies