Restricting Log In Capabilities in Linux

Posted by JeremyL on Tue 29 October 2013

Another one of the important basics in Linux is being able to control the log in capabilities of users, or services that have a user associated. There are many ways or options one has when taking control. There is a different use case for each one, it will be up to you to decide which is the best method to employ for your box.

/etc/passwd User Restriction

/bin/false

Using this method you can change the default shell a user will get once they are logged in. There are special ones you can put in that will give them no shell. For example in the following output you will see the difference between a bash shell and a false one.

cat /etc/passwd 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false

You can see that you root has a bash shell and bin and daemon both have a false shell. What this means is that the user can not log in and get a shell of any type. So from root if you try in log in to daemon, you will notice nothing happens and you stay the same user.

sudo su daemon
nologin

Another method is to give a user nologin. This differs from false slightly as it will give the user trying to log in a more informative response.
Arch Linux and Ubuntu have nologin in different locations. You can find out where yours is if on a different system by issuing the following command

whereis nologin

Arch Linux

/usr/bin/nologin

Ubuntu

/usr/sbin/nologin

Now if you were to try and change into a user that has a nologin shell, you will see the following output.

sudo su dbus
This account is currently not available.

To give a user this shell you will want to issue the following command for the user you want to modify.
Ubuntu

sudo usermod -s /usr/sbin/nologin user

Arch Linux

sudo usermod -s /usr/bin/nologin user

You can even do this for regular users if you want to lock them out temporarily for a system maintenance and remind them of the reason they are unable to login. Usermod will change the shell for the user you choose.

You could do the following and just change the message to fit your needs.

sudo sh -c 'echo "Scheduled maintenance. And what else you want to tell them." > /etc/nologin'

Now if you were to try and log into the user with this modified nologin shell you would you see an output similar to.

sudo su modifiedUser
Scheduled maintenance, And what else you want to tell them.

It would be similar if you tried to ssh in with the same user.

/etc/shadow User Restriction

The shadow file is where the hashed passwords on the system are stored. You can take similar control of users through this file as you were able to with the passwd file techniques shown above.
Your file will look similar to the following

root:$6$/9Yf3sAk$lvOfnyvWuYzDmvRZ1MM7FKZhF7PxYMKvBq/E9nERMJg5ZmQYjPW3twEDUyzgRoxXQASJKLDAS98uquHziLud0:45916::::::
bin:x:14871::::::
daemon:x:14871::::::
mail:x:14871::::::
ftp:x:14871::::::
http:x:14871::::::
uuidd:x:14871::::::
dbus:x:14871::::::
nobody:x:14871::::::
avahi:!:15656::::::
polkitd:!:15656:0:99999:7:::
user:$6$AdRDPBk9$qz8OjCe.ZBOVrRgI/ahsjdASKLJdjh89asdhkASD87yd987sy6dgkjbasd78Vl8T.HvbVm/5CK004vLAKSXC/iwdEzi2/:45916:0:88888:7:::

The section just after the username is where the hashed password will be if set. The number in between the two dollar signs (\$6\$) will tell you what crypt the hash value used. The following is a chart of the possible ID's you could see and what crypt they use.
Taken from man crypt

     1   | MD5
     2a  | Blowfish (not in mainline glibc; added in some Linux distributions)
     5   | SHA-256 (since glibc 2.7)
     6   | SHA-512 (since glibc 2.7)

As you can see the hash used in the example is a SHA-512 encoded password. The full break down for the string is as follows

$cryptID$salt$encryptedPassword

For Arch based systems, you will notice that system users have an x instead of a hashed value. If you're on a Debian based system such as Ubuntu you will see an asterisk instead. If you see an exclamation point that means the password has been disabled. If placed before a hashed password it makes it equivalent to one with an x or asterisk.

Two easy methods to lock out an account are to use the following tools.

passwd

If you use either the -l flag for locking or the -u flag for unlocking you can easily lock a user out with passwd.

sudo passwd -l userToLockOut
cat /etc/shadow | grep 'user'
user:!$6$AdRDPBk9$qz8OjCe.ZBOVrRgI/ahsjdASKLJdjh89asdhkASD87yd987sy6dgkjbasd78Vl8T.HvbVm/5CK004vLAKSXC/iwdEzi2/:45916:0:88888:7:::

Now to unlock the user again.

sudo passwd -u userThatWasLockedOut
cat /etc/shadow | grep 'user'
user:$6$AdRDPBk9$qz8OjCe.ZBOVrRgI/ahsjdASKLJdjh89asdhkASD87yd987sy6dgkjbasd78Vl8T.HvbVm/5CK004vLAKSXC/iwdEzi2/:45916:0:88888:7:::
usermod

You can also do the same as with passwd using usermod. If you use the -L flag you lock out the user or the -U flag and you will unlock the user.

sudo usermod -L userToLockOut
cat /etc/shadow | grep 'user'
user:!$6$AdRDPBk9$qz8OjCe.ZBOVrRgI/ahsjdASKLJdjh89asdhkASD87yd987sy6dgkjbasd78Vl8T.HvbVm/5CK004vLAKSXC/iwdEzi2/:45916:0:88888:7:::

To unlock the user

sudo usermod -U userToUnlock
cat /etc/shadow | grep 'user'
user:$6$AdRDPBk9$qz8OjCe.ZBOVrRgI/ahsjdASKLJdjh89asdhkASD87yd987sy6dgkjbasd78Vl8T.HvbVm/5CK004vLAKSXC/iwdEzi2/:45916:0:88888:7:::

Now there is one caveat to locking a user out with the shadow file methods listed above. If the user has the ability to log in with ssh keys this will not lock them out of logging in with that method. You will need to use another method if they have this type of access.

As you have seen as with all things in Linux you have flexible methods to restrict log in capabilities. While this does not show ever method possible it gives you a good incite and a first step into understanding the basics.