User administration: restricting access
1. With the chage command, an account expiration can be set. Once that date is reached, the user cannot log into the system interactively.
Let us run ‘chage’ interactively to set user’s account expiry –
[root@kauai /]# chage sshtest Changing the aging information for sshtest Enter the new value, or press ENTER for the default Minimum Password Age : Maximum Password Age : Last Password Change (YYYY-MM-DD) [2015-11-04]: Password Expiration Warning : Password Inactive [-1]: Account Expiration Date (YYYY-MM-DD) [-1]: 2017-03-30 [root@kauai /]# chage -l sshtest Last password change : Nov 04, 2015 Password expires : never Password inactive : never Account expires : Mar 30, 2017 Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
2. In addition to this, the usermod command can “lock” an account with the -L option. Say when a user is no longer with a company, the administrator may lock and expire an account with a single usermod command. The date must be given as the number of days since January 1, 1970. Setting the expiredate to 1 will immediately lock the account –
[student@serverX ~]$ sudo usermod -L -e 1 elvis [student@serverX ~]$ sudo usermod -L elvis [student@serverX ~]$ su - elvis Password: elvis su: Authentication failure
Locking the account prevents the user from authenticating with a password to the system. It is the recommended method of preventing access to an account by an employee who has left the company. If the employee returns, the account can later be unlocked with
usermod -U USERNAME
. If the account was also expired, be sure to also change the expiration date.
3. The nologin shell. Sometimes a user needs an account with a password to authenticate to a system, but does not need an interactive shell on the system.
For example, a mail server may require an account to store mail and a password for the user to authenticate with a mail client used to retrieve mail.
That user does not need to log directly into the system.
A common solution to this situation is to set the user’s login shell to /sbin/nologin. If the user attempts to log into the system directly,
the nologin “shell” will simply close the connection.
[root@serverX ~]# usermod -s /sbin/nologin student [root@serverX ~]# su - student Last login: Tue Feb 4 18:40:30 EST 2014 on pts/0 This account is currently not available.