When someone leaves or an account is compromised, deleting it immediately can break cron jobs, file ownership, and mail. Locking it blocks access while keeping everything in place. It is a root task:
sudo usermod -L deploy
Lock the password (blocks password logins)
usermod -L puts a ! in front of the password hash in /etc/shadow, so no password will ever match. passwd -l does the same thing.
sudo usermod -L deploy # lock
sudo usermod -U deploy # unlock
sudo passwd -S deploy # check: L = locked, P = usable password, NP = no passwordImportant caveat: locking the password does not block SSH key logins. If the user has a key in authorized_keys, they can still get in. For a full lockout you need to block the shell too.
Block the shell (the real lockout)
Set the login shell to nologin, which refuses any interactive session including key-based SSH:
sudo usermod -s /usr/sbin/nologin deploy # block
sudo usermod -s /bin/bash deploy # restoreFor a complete disable, do both: lock the password and set nologin. Locking the password alone is the most common mistake here, because key auth sails right past it.
Expire the account entirely
To disable an account on or after a date (or right now), expire it:
sudo chage -E 0 deploy # expired (epoch), blocks all login immediately
sudo chage -E -1 deploy # remove the expiry, re-enableAccount expiry blocks every login method, password and key alike, which makes it the cleanest single switch. See set password expiry and account aging for the full chage reference.
FAQ
See also
- How to Delete a User on Linux: when locking is no longer enough.
- Set password expiry and account aging (chage): the chage -E switch that blocks key logins too.
- Force a password change at next login: a softer control for a suspect password.
- How to change a user password (passwd): the passwd states behind -S.
Sources
Authoritative references this article was fact-checked against.
