8

From man usermod:

Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1.

  • Why should we expire a locked account to totally prevent access to the account?
  • What will happen if I do not expire a locked account?
muru
  • 193,181
  • 53
  • 473
  • 722
Sinoosh
  • 2,001
  • 2
  • 19
  • 32

2 Answers2

13

usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.

But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.

Tim
  • 32,274
  • 27
  • 118
  • 177
Ravexina
  • 54,268
  • 25
  • 157
  • 179
  • 1
    How about `usermod -L -e 300 username` ? The account will be expired entirely? – Sinoosh Oct 12 '18 at 18:18
  • 1
    @Sinoosh it's somehow the same. the expire date would be set at `Oct 28, 1970` which makes account expired. – Ravexina Oct 12 '18 at 18:25
  • Thank you, could you tell me how can i login to a locked account by ssh ? – Sinoosh Oct 12 '18 at 18:37
  • 1
    Read these: [How to create multiple ssh keys?](https://askubuntu.com/questions/929934/how-to-create-multiple-ssh-keys), [How do I set up SSH authentication keys?](https://askubuntu.com/questions/61557/how-do-i-set-up-ssh-authentication-keys) and [How can I set up password-less SSH login?](https://askubuntu.com/questions/46930/how-can-i-set-up-password-less-ssh-login). – Ravexina Oct 12 '18 at 18:40
  • 1
    @Ravexina It would be better if you actually called it "SSH public key authentication" in your answer, because it's the authentication mechanism that is bypassing the password, not SSH per se ;) – marcelm Oct 12 '18 at 19:13
  • 1
    @marcelm you are right. Updated the answer... – Ravexina Oct 12 '18 at 20:07
  • Well, that's some sorry naming... – jpmc26 Oct 13 '18 at 04:43
2

Because ssh keys don't care about passwords you need the account to die instead.

The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.

Joshua
  • 689
  • 3
  • 8