How to Harden and Secure a Linux Server: Part 3

Temporarily disabling an account is a good alternative in cases where you don't want to permanently remove the account.

There are many ways to lock or disable a user account. One way is to disable password authentication for the account. This will obviously prevent the user from being able to log in via his or her password, however it will not prevent the user from logging in via other means, such as public key authentication.

To disable the user's password, run the following command as root:

passwd -l user

What this will do is place an exclamation point “!” infront of the user’s hashed password. This would then not correspond to any possible hash, therefore the user will not be able to log in using his/her password.

We can locate the hashed password by checking the /etc/shadow file, which is a text file that contains information about the system's user passwords.

/etc/shadow contains one entry per line, each line representing a user account. Each line then contains nine different fields:

dion:$y$j9T$Jdgu31YcWckTjtOemvduU.$/bNiEtjeY8lQoktzzX1tfaPX5aLSIJE72Soh4cgAlPB:19321:0:90:7:::

Here are the 9 fields broken down:

  1. Username; this is the user account that exists on the system.

  2. Encrypted Password; the password uses the format $type$salt$hashed.

  3. Last password change date; the number of days is counted since January 1, 1970 (epoch date).

  4. Minimum password age; the number of days that must pass before the user password can be changed. Usually set to zero, which means that there is no minimum password age.

  5. Maximum password age; the number of days after which the user password must be changed. By default, this number is set to 99999.

  6. Warning period; the number of days before the password expires during which the user is warned that the password must be changed.

  7. Inactivity period; the number of days after the user's password expires before the user account is disabled. This field is typically empty.

  8. Expiration date; the date when the account was disabled; represented as an epoch date.

  9. This field is ignored and is reserved for future use.

To verify the password is locked, run:

passwd --status user

When you're ready to unlock the account run:

passwd -u user

An alternative method to disabling a user account is to set a specific date in time at which the account will be disabled.

usermod --expiredate yyyy-mm-dd user

On my Ubuntu machine, I've created a user called "Tux", and configured the password for this user to expire in 90 days:

If I wanted to set the account expiration one week from now (December 3rd) I would simply run the following:

usermod --expiredate 2022-12-03 tux

We can check this by running:

chage -l user

To demonstrate how I can completely disable Tux's account, I'll set the account expiration date to a date in the past.

usermod --expiredate 1 user

This sets the user account expiration date to Jan 2, 1970. The "1" means one day after unix epoch, which corresponds to January 1, 1970:

To reanable the account, or set the expiration date to never, use:

usermod --expiredate “” user