Putorius
Linux Quick Tips

Disable User Logins to Linux System

Sometimes it is necessary to disable user logins to a system. If you are doing maintenance and want to keep the system state clean for example. In this quick tip we will show you how to disable logins to a Linux system.

If you ever looked at an /etc/passwd file chances are you have seen a user shell set to /usr/sbin/nologin. This tells the system that that user does not have access to interactively login to the system. This is a good way to block logins for a specific user, but another file called /etc/nologin exists to block any non-root user from logging in.

Blocking All non-root Users from Logging Into a System

To block all non-root users from logging into the system you can simply create the /etc/nologin file.

sudo touch /etc/nologin

This will block any user. As soon as they authenticate the connect will be closed. This often confuses users, so it is a good idea to add a message. Simply add the message you want displayed to the file. You can open the file in your favorite text editor like vi, nano, or emacs and start typing. Or you can echo the message into the file like so:

echo "System down for maintenance, try again later" | sudo tee /etc/nologin

NOTE: You cannot use normal redirection with sudo, so we used the tee command instead.

Now when a user tries to login, they will receive the message and the connection will be closed.

$ ssh stacy@UbuntuDev
stacy@UbuntuDev's password:
System down for maintenance, try again later
Connection closed by UbuntuDev port 22

That is much more polite.

Unblock Logins

To unblock, or allow logins again, simply delete the /etc/nologin file.

sudo rm /etc/nologin

Block Specific User from Logging in Interactively

You can use the nologin shell to block interactive shell access for a specific user. This comes in handy if you only want to allow the user FTP access or similar.

The nologin shell is located at different paths for different systems.

For Ubuntu it is located in /usr/sbin/nologin

For Fedora it is located in /sbin/nologin

You can find where it is located by using the which command:

$ which nologin
/usr/sbin/nologin

To set the users shell to nologin, you can use the usermod command. Here we will set the "stacy" users shell to nologin.

usermod -s /usr/sbin/nologin stacy

Unblock Specific User from Logging in Interactively

To unblock or re-enable a user to login via an interactive shell, simply set their shell back to bash (or whatever shell you wish).

To set the "stacy" users shell back to bash:

usermod -s /bin/bash stacy

If you use "usermod -s" without any arguments the system will use the default shell for the user.

Conclusion

Now you should know how to disable user logins to a system. We covered disabling all user logins as well as settings for specific users. Feel free to sound off in the comments.

Exit mobile version