By Justin Ellingwood and Alex Garnett
A fundamental part of system administration is configuring and managing users and groups. Part of this task involves monitoring the log in capabilities of all system entities.
In this guide, we will introduce the ideas behind user management and authentication logging.
We will be exploring these concepts on a Ubuntu 22.04 server, but you can follow along on any modern Linux distribution. You can set up a Ubuntu 22.04 server for this tutorial by following our guide to Initial Server Setup on Ubuntu 22.04.
As mentioned in the previous tutorial in this series, some of the users on your server may be associated with services, and are not intended to be used as regular accounts.
In this section, you will review how to restrict the login capabilities of these users in a number of ways.
One method of restricting the login capabilities is to set the account’s login shell to a special value.
An example of this is the
messagebus user, which you can use grep to search for within the
- less /etc/passwd | grep messagebus
The final value is the shell or the command that is run when the login is successful. In this case, the value is set to
If you try to switch to the
messagebus user using
sudo su, it will fail:
- sudo su messagebus
OutputThis account is currently not available.
You receive this message because the shell for
messagebus is set to
You can use the
usermod tool to change a user’s default login shell (usually
/bin/bash) to a nonexistent shell like
nologin when you need to prevent them from logging in.
- sudo usermod -s /usr/sbin/nologin username
Another, similar method of restricting access is to use the
/etc/shadow file. This file contains the hashed password values of every user on the system.
You can use
less to view the entire file:
- sudo less /etc/shadow
Output. . . uuidd:*:19105:0:99999:7::: tcpdump:*:19105:0:99999:7::: sshd:*:19105:0:99999:7::: pollinate:*:19105:0:99999:7::: landscape:*:19105:0:99999:7::: lxd:!:19180:::::: sammy:$y$j9T$4gyOQ5ieEWdx1ZdggX3Nj1$AbEA9FsG03aTsQhl.ZVMXatwCAvnxFbE/GHUKpjf9u6:19276:0:99999:7:::
The second field (the one starting with
$y$j9T$4gyO… in the last line) contains the hashed password value.
The system accounts have an asterisk (
*) instead of a complex hash value. Accounts with an asterisk in the second field have not had a password set and are not able to authenticate by password without changing this.
You can disable a password value (in effect, making an account with a password equivalent to the asterisk value), by preceding the hash value with an exclamation point (
Two tools can do this by “locking” the specified account.
passwd command can be locked with the
-l flag and unlocked with the
- sudo passwd -l sammy
- sudo less /etc/shadow | grep sammy
As you can see, the hashed password is retained, but made invalid by placing a
! in front of it.
The account can be unlocked again by typing:
- sudo passwd -u sammy
Equivalent operations are available using the
usermod command. The corresponding flags are
-L for locking, and
-U for unlocking:
- sudo usermod -L sammy
- sudo usermod -U sammy
Note: While this method of restricting access will function correctly for all password-based logins, methods of logging in without a password (for example, with ssh keys) will still remain available.
There may be some situations when you need to disable all account logins, other than root.
This could be because of in-depth maintenance, or because one or more of your user accounts has been compromised.
In any case, this can be accomplished by creating a file at
- sudo touch /etc/nologin
This will prevent any account from logging in that does not have superuser privileges.
With an empty
/etc/nologin file, this just dumps the user back to their local shell without any explanation.
What is really happening is that the contents of the file are returned to the user. If you add a message, users will receive an explanation for the login failure:
- sudo sh -c 'echo "Planned maintenance. Log in capabilities will be restored at 1545 UTC" > /etc/nologin'
Now when you try to log in with a password, you will receive this message:
- ssh sammy@host
Outputsammy@host's password: Planned maintenance. Log in capabilities will be restored at 1545 UTC Connection closed by host
Root users can still log in normally. Remove the “/etc/nologin” file to reverse the login restriction:
- sudo rm /etc/nologin
User authentication on Linux is a relatively flexible area of system management. There are many ways of accomplishing the same objective with widely available tools.
You should now know how to restrict usage through various methods.
In the next part of this tutorial series, you will review how to monitor user logins.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Click below to sign up and get $200 of credit to try our products over 60 days!
Good article, thanks!
@narin: Yes, it’ll make the Remote Console unusable as you wouldn’t be able to log in as root. You can disable root SSH login by setting
without-password(SSH key-login only) in
/etc/ssh/sshd_configand restarting ssh:
Suppose I am always access the host as root via the Console Access within digitalocean.com
Is it okay to set /user/sbin/nologin to root in order to prevent anyone attempted to root access via other means such as ssh? Will this also make the Console Access not usable?
I want to try this out but not yet dare to, since I might not be able to root access anymore if incorrectly done.