A common way to lock Linux user accounts is to use the passwd
command:
This locks the account:
passwd -l username
This UN-locks the account:
passwd -u username
This is a simple method but does NOT work after a user has setup SSH keys. The reason for that is that the command passwd -l
works by modifying the /etc/password
file. After setting up SSH keys, the /etc/password
file is no longer used for user authentication when login on via SSH
A more reliable way to lock a user account is to use the chage
command, which changes the account expiration date. This method works regardless of whether the user has setup SSH keys or not. It does not modify the /etc/password
file. It sets an account expiration date.
List current expiration date:
chage -l username
Set expiration date to Feb 1st, 2016:
chage -E 2016-02-01 username
Setting expiration date to 0 (zero) disables the account:
chage -E 0 username
Setting expiration date to -1 removes expiration date on the account, in other works, the account will never expire:
chage -E -1 username