Linux User Management - Locking/Unlocking user accounts

we will cover the topic of locking and unlocking user accounts in Linux. Locking a user account prevents the user from logging in, while unlocking it allows the user to log in again. This can be useful in situations where a user account has been compromised or is no longer needed.

We will provide code examples for locking and unlocking user accounts, and also discuss how to set up a testing environment on Ubuntu and test the code examples provided.

Code Examples:

To lock a user account in Linux, you can use the passwd command with the -l option. For example, to lock the user account raj, you can run the following command:

sudo passwd -l raj

This will set the account password to a value that cannot be used for authentication, effectively locking the account. To unlock the account, you can use the passwd command with the -u option, like so:

sudo passwd -u raj

This will reset the account password, allowing the user to log in again.

You can also use the usermod command to lock or unlock a user account. To lock the account, you can run the following command:

sudo usermod --expiredate 1 raj

This will set the expiration date of the user account to one day in the past, effectively locking the account. To unlock the account, you can run the following command:

sudo usermod --expiredate "" raj

This will remove the expiration date from the user account, allowing the user to log in again.

Locking a user account by setting an expiration date:

Another way to lock a user account is to set an expiration date on their password. To do this, you can use the chage command with the -E option, followed by the date on which you want the user's password to expire, and the username of the user whose account you want to lock. For example, to lock the account for the user "monika" on April 1st, 2023, you would run the following command:

sudo chage -E 2023-04-01 monika

This will set the expiration date for the user's password, effectively locking their account.

Unlocking a user account by removing the expiration date:

To unlock a user account that has been locked by setting an expiration date on their password, you can remove the expiration date using the chage command with the -E option and the value -1, followed by the username of the user whose account you want to unlock. For example, to unlock the account for the user "monika", you would run the following command:

sudo chage -E -1 monika

This will remove the expiration date from the user's password, effectively unlocking their account.

Unlocking user accounts after a set time period:

You can set a specific time period for which a user account is locked, after which it is automatically unlocked. This can be achieved using the pam_tally2 module.

To enable this feature, open the /etc/pam.d/common-auth file and add the following line at the top:

auth optional pam_tally2.so deny=3 unlock_time=60

This will lock user accounts after 3 failed login attempts and automatically unlock them after 60 seconds.

Locking user accounts after a certain amount of idle time:

You can set a maximum idle time for user accounts, after which the account is automatically locked. This can be achieved using the useradd command with the -f option, followed by the maximum idle time in seconds.

For example, to set the maximum idle time for the "raj" user account to 10 minutes (600 seconds), you can use the following command:

sudo useradd -f 600 raj

Preventing users from logging in:

Sometimes you may need to prevent users from logging in to the system, while still keeping their accounts active. This can be achieved by changing the user's shell to /usr/sbin/nologin.

To change the shell for a user account, use the chsh command:

sudo chsh -s /usr/sbin/nologin valli

This will prevent the "valli" user account from logging in to the system.

Code examples:

To lock/unlock user accounts after a set time period, you can use the pam_tally2 module in the /etc/pam.d/common-auth file, as described above.

To lock a user account after a certain amount of idle time, you can use the useradd command with the -f option, as described above.

To prevent users from logging in, you can use the chsh command to change their shell to /usr/sbin/nologin, as described above.

When managing user accounts in Linux, it is important to follow best practices to ensure that the accounts are secure and well-maintained. Here are some best practices to keep in mind:

Use strong passwords: When setting passwords for user accounts, use strong passwords that are difficult to guess or crack. This can help prevent unauthorized access to the system.

Use a password policy: Implement a password policy that enforces minimum password length, complexity, and expiration rules. This can help ensure that passwords are changed regularly and are strong enough to resist brute-force attacks.

Limit sudo access: Grant sudo access only to users who need it to perform specific tasks. This can help prevent accidental or intentional damage to the system.

Monitor user accounts: Monitor user accounts regularly for suspicious activity, such as failed login attempts or unusual commands being run. This can help detect and prevent security breaches.

Disable unused accounts: Disable or remove user accounts that are no longer needed. This can help reduce the attack surface of the system.

By following these best practices, you can help ensure that user accounts are secure and well-maintained, reducing the risk of security breaches and system downtime.