Linux system administrators have various tasks, one of their important tasks is to improve Linux system security, manage users, and access user login in Linux. Since system administrators are responsible for fixing the problems of the Linux operating system and protecting the Linux system from intrusion and unauthorized access, disabling user login Accessibility in Linux is one of the security and efficient solutions when facing security problems.
As you know, the Root user, which is the superuser, has enough privileges for access and fundamental changes in the Linux system. Restricting access for root and non-root users is a security measure. By restricting the access of Root users, you will disable unlimited privileges from the user to make any changes, thereby making the Linux system more secure in certain situations. Also, creating restrictions for non-Root users makes it possible to prevent the intrusion and access of normal users without Root privilege, and only certain and limited people have access to the Linux system, and in this way, you will control unauthorized access.
If, as a Linux system administrator, you are looking for a solution to improve security against intrusion and unauthorized access to your Linux system after purchasing a Linux VPS, learning how to disable user login access in Linux is a necessity.
To disable access to user login in Linux, there are various commands that we provide in this article as follows:
- Editing /etc/nologin file and nologin shell
- Editing the account’s login shell in /etc/passwd File
- Editing Hashed password value in /etc/shadow file
- false command
- usermod command
- Expiration of the lifetime of the user account
- Editing user password
In this article, you can disable user login access in Linux in different ways and strengthen the security of your Linux system, which is one of the most important issues. (In this article, we have implemented the instructions on Ubuntu, but in modern Linux distributions, the instructions for disabling user login access are similar.) Stay with us until the end of the article.
Disabling login Accessibility by editing the /etc/nologin file
The best way to control user login access is to disable login access for all users except the root user. Usually, this method is used to improve the security of the Linux system when there is a need to strongly protect the Linux system against intrusion.
The /etc/nologin file is used to display messages for users who try to access the system, so to restrict the access of all user accounts except the root user account, first create a file in /etc/nologin:
sudo touch /etc/nologin
By executing the previous command, a file was created that will provide a message to the user, and when the message will be terminated, the user will fail to access the Linux login. Therefore, only the root user has permission to access the Linux system.
You can also write a message in the file for users who are not successful in accessing the Linux system so that they know the reason for the failure to access the user’s login to the Linux system. you can use the following command as a guide:
sudo sh -c
Then try to access the Linux server as a non-root user to make sure the settings are applied:
ssh Opera@host
Output:
Opera@host's password:
The Server is down for a Planned maintenance. We apologize for any inconvenience caused, the system will be up and running in 1 hours time. For more information, contact the system admin.
Connection closed by host
As you can see, the normal Opera user could not access the Linux server. While this restriction is not set for the Root user.
You can enter the following command to remove the restriction applied on the login of normal users:
sudo rm /etc/nologin
Disabling login Accessibility via nologin Shell
There is another way to restrict login Accessibility, which restricts the user from accessing the shell, while the user can access the Linux system without the need for the shell using programs such as FTP.
You can even customize access to the shell for some specific users so that limited people have access to the shell.
In Ubuntu and Debian operating systems and their derivatives, using the /bin/false file, you can restrict users’ access to the Shell.
sudo chsh -s /bin/false Opera
To prevent users from entering the shell, you must change the user shell in the /etc/passwd file to /sbin/nologin. In Fedora, CentOS, and RHEL operating systems, run the following command for this purpose:
chsh -s /bin/nologin Opera
Disable login Accessibility via /etc/passwd
In this method, changing the default value of the user account login shell to a specific value limits the user’s access to log in. Therefore, to prevent access to user login (for example Opera user), enter the following command in the /etc/passwd file:
less /etc/passwd | grep Opera
Output:
Opera:x:102:105::/nonexistent:/usr/sbin/nologin
As you can see, the final value of the default user shell is set to /usr/sbin/nologin for successful login.
Therefore, to ensure that user login access is disabled in Linux, log in to the Linux system as an Opera user by running thesudo sucommand:
sudo su Opera
Output:
This account is currently not available.
Because the Opera user’s default login shell is set to /usr/sbin/nologin, the Opera user is unable to access the Linux server login.
Disabling login Accessibility using /etc/shadow
Using the /etc/shadow file that stores hashed user password values is another useful way to apply restrictions on user login access.
To view the contents of the /etc/shadow file, run the following command:
sudo less /etc/shadow
By viewing the output of the previous command, some user accounts have an asterisk (*), these accounts do not have a set password, and if they do not change it, they will not succeed in passing the password authentication.
As a result, you can disable and invalidate the password by creating a user account with a password whose value is equal to an asterisk (*).
To disable login Accessibility for a specific user, you can use thepasswdcommand with-lflag and/etc/shadow | grep:
sudo passwd -l Opera
sudo less /etc/shadow | grep Opera
Output:
Opera:!$y$j9T$4gyOQ5ieEWdx1ZdggX3Nj1$AbEA9FsG03aTsQhl.ZVMXatwCAvnxFbE/GHUKpjf9u6:19276:0:99999:7::::::
The output of the previous command gives the hashed password, which you can invalidate by putting a (!) sign in front of it.
Thepasswdcommand with the-lflag prevents access to user logins, but thepasswdcommand with the-uflag removes the restriction:
sudo passwd -u Opera
Disabling logging via the usermod command
It is possible to change the user profile by executing theusermodcommand. Similar to the passwd command, you can use the usermod command to block user login access and unblock user login access:
sudo usermod -L Opera
sudo usermod -U Opera
The usermod command invalidates the hashed passwords in the /etc/passwd file and instructs the Linux kernel to prevent the specified user from accessing the system because the user is blocked from logging in.
Also, another method is to prevent users from connecting to the Linux server, use the usermod command to change the user’s default login skin to one that does not exist (such as nologin):
sudo usermod -s /usr/sbin/nologin username
Disabling login Accessibility upon account lifetime expiration
The user accounts you create in Linux have a lifetime, that is, they have account expiration, if we can change the expiration date to a date in the past, the lifetime of the user account will expire in the kernel. Therefore, the Linux kernel prevents the login of an expired user account. To change the expiration date of the user account, you can use thechage -Ecommand:
Thu jan 26 20:38:36 EDT 2023
chage -E 2023-01-25 user5
chage -l user5
Last password change : jan 26, 2023
Password expires : Mar 26, 2024
Password inactive : never
Account expires : jan 25, 2023
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
By changing the expiration date of the user account to the previous day, we defined the user account as expired today, and if the specified user account wants to log in to the Linux system today, it has expired and the login access has been disabled. (Current date: Jan 26 and the expiration date: Jan 25.)
Disabling login access by editing the user’s password
This method is not recommended because it is unethical. In special circumstances, if you have to, this way can be one of the methods to prevent access to user login. As a system administrator, you can enter the user’s account using the user’s password and remove the user’s password. By doing this, the user will have problems when trying to log in to the Linux system using his/her old password and must set a new password for the user account.
Run the following command to empty the password:
passwd -d Opera
Removing password for user Opera.
passwd: Success
Then make sure that the Opera user’s password is removed by running thepasswd -Scommand:
passwd -S Opera
Opera NP 2023-01-26 1 90 7 -1 (Empty password.)Conclusion
The system administrator is responsible for system maintenance and also improving the security of the Linux system when faced with problems. Therefore, Linux administrators should be able to find the best solution to solve the problems they face. Security, which has always been one of the most important issues for system administrators, requires the most attention and focus. One of the ways to prevent intrusion and unauthorized access when the system has a challenge related to security issues is to control and restrict User Login Accessibility.
In this article, we presented the most common methods to disable user login access in Linux, but the best method is to edit the /etc/nologin file because you can provide a message to users to explain the reason for the failure to access the login
Thank you for reading this article to the end and giving us your valuable time. We hope that we have been able to provide informative and useful content.
Copy and Post from
https://operavps.com/docs/disable-user-login-in-linux/#
