- 5 effective ways to unlock user account in Linux
- 1. Unlock user account when password was never assigned
- 2. Unlock user account when password is locked
- 3. Unlock user account when account is locked using usermod
- 4. Unlock user account when account is expired
- 5. Unlock user account when locked after multiple failed login attempts
- 5.1 Using pam_faillock module
- 5.2 Using pam_tally2 module
- Summary
- Further Readings
- Related Posts
- How to Lock An Account on Linux
- Task: Linux locking an account
- Task: Linux Unlocking an Account
- Task: Root can access any account
- Sample session: Disable a user’s login without disabling the account
- A note about the ssh public key based authentication
- How can I remove an account expiration date?
5 effective ways to unlock user account in Linux
Table of Contents
There can be multiple situations wherein your Linux user account may get locked. Some of the possible scenarios can be:
- Password is explicitly locked by the administrator
- Account is explicitly locked by the administrator
- Password was never assigned hence unable to login
- Multiple failed login attempts (controlled by pam_tally2 or pam_faillock)
We will cover the above mentioned scenarios and share methods to unlock Linux user account in such situation.
1. Unlock user account when password was never assigned
Now this is not a typical scenario of user lockout. But it is definitely one possible use case. Many times the administrator create a user but forget to assign a password. In such case when the respective user tries to login then they may get «Access denied» and the log may contain » Failed password for XXXX «.
First let’s check if the password for this user is locked:
Yes, as expected the user account’s password seems to be locked. We can try to unlock it using passwd —unlock command:
This means that currently the user’s password is empty? Which is most likely possible when the user’s password is not SET. So we will confirm this by checking the content of this user in /etc/shadow file:
If you are aware of different field of /etc/shadow file then you should know that the second field contains the encrypted password. In our case the second field for user1 contains two exclamation marks ( !! ) «ONLY» which means password was never set for this user.
For example, here is an output snippet for root user where you can see that the second field contains encrypted password:
So in such scenario there is nothing to unlock, just go ahead and assign a password to this user using
For example, I will assign password for user1 :
and now I should be able to login with this user:
2. Unlock user account when password is locked
We can also lock a user account by locking the user’s password with passwd command. For example here I have locked user1’s password:
So as you can see from the man page of passwd, the password is locked but the user can still login using other means such as public key authentication.
To verify if the user account password is locked:
You can also check the user entry in /etc/shadow file:
As you can see, we have two additional exclamation marks in the password field. But the output is different from Scenario 1 we discussed above. Here we do have an encrypted password (so password is not empty) but since the encrypted password has been modified, it is not recognised any more hence the user fails to login.
To unlock user password, we need to use —unlock argument with passwd command:
Or you can just go ahead and remove those exclamation marks from /etc/shadow file for user1 and that should also unlock the user account:
3. Unlock user account when account is locked using usermod
We can use following usermod command to lock the password of any Linux user account:
This option is similar to passwd —lock as the above command will add a single exclamation mark in the second field of /etc/shadow file for the respective user:
Since the password field now contains additional character, the user login will be disabled.
The same can be verified using passwd command:
To unlock such user account in Linux, just use —unlock with usermod with the username:
OR just go ahead and manually remove that exclamation mark from the user1 entry in /etc/shadow file and re-verify the user account status:
4. Unlock user account when account is expired
It is also possible that your user account on the Linux box may have expired due to which you are not allowed to login. In such case when you try to login, then you may get following message in /var/log/secure :
So first check the expiry date of the user using chage command: 
So as you can see, the expiry date of user1 is in the past, so it is quite obvious that the user account will be locked. To unlock such user account, you just have to change the expiry date of this user to a date from future.
For example the following can be used to set an account to expire in 180 days:
Now check the user expiry date: 
5. Unlock user account when locked after multiple failed login attempts
Now this is a more realistic and common scenario where a user account can get locked. So you forgot the password and kept on trying until finally you realised, Oh shit! my account is locked.
By default this feature is controlled via either pam_tally2 or pam_faillock module. To check the active module on your environment you can use:
Sample output from Linux server with both module:
In this case I have both the modules installed on my server so based on the module used to lock the user, you must choose the same module to unlock the user account. It is possible in later distros, only one module will be shipped.
For example, here only pam_faillock module is available:
Here we don’t have pam_tally2 module so we will only use faillock module.
5.1 Using pam_faillock module
Assuming your admin is using pam_faillock to lock the user account, you can execute faillock from the terminal as root user to list the failed login attempts: 
Here I have intentionally given wrong password to lock the user1 account, this can be confirmed using /var/log/secure :
To unlock the user account here we will again use faillock command as shown below:
Now you will see that all the history of failed login attempts for user1 is cleared so now user1 can log back in:
5.2 Using pam_tally2 module
If you are using pam_tally2 module to count login attempts and allow or deny a user login then you must also use pam_tally2 to unlock a user account in Linux. For example, here user1 is locked after multiple failed login attempts:
So to reset the failed login attempts we use:
Next if you check the active failed login attempt count, the output would be empty which means your user is unlocked and you can try to login again:
Summary
In this article I have tried to cover different possible scenarios under which a user account can get locked and the steps to unlock the user account based on the scenario. These can become really complicated when a root user gets locked out so you must always have a backup plan when you are setting up such features, for example allow console based root access. Because most of these settings apply to SSH based access or su and sudo based access. So for worst case scenario you can allow console based access for root user so it can login and unlock itself.
Further Readings
Related Searches: linux unlock account, unlock user account linux, linux unlock password, passwd unlock account, unlock user password, unlock unix account, unlock linux account redhat, how to unlock password in linux, linux user status, linux user account status, cannot unlock the password for user in linux
Related Posts
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!
Источник
How to Lock An Account on Linux
H ow do I lock an account (user login id) under Linux operating system? How can I disable a user’s login without disabling the account on a Linux based server?
You can use the passwd command to change user or group accounts password. A normal user may only change the password for his/her own account, the super user (root) may change the password for any account. You can use the passwd command for locking or unlocking an account on a Linux operating systesm.
| Tutorial details | |
|---|---|
| Difficulty level | Easy |
| Root privileges | Yes |
| Requirements | passwd and chage command |
| Est. reading time | 3 mintues |
Task: Linux locking an account
The syntax is as follows for locking down the account. It is performed by rendering the encrypted password into an invalid string by prefixing the encrypted string with an ! . The -l option is available to root user only:
The -l option disables an account by changing the password to a value which matches no possible encrypted value. In this example, lock user account named vivek. First, login as a root user and type the following command:
OR use the sudo command:
Task: Linux Unlocking an Account
The syntax is as follows and the -u option is available to root user only:
The -u option re-enables an account by changing the password back to its previous value i.e. to value before using -l option. To unlock user account named vivek. Login as a root user and type following command:
Task: Root can access any account
Sample session: Disable a user’s login without disabling the account
Fig.01: How to Linux disable a user’s login without disabling account
See also:
A note about the ssh public key based authentication
User account locked with the -l option can still log in by other methods such as the ssh public key authentication. Use the following command to for full account locking:
- No ads and tracking
- In-depth guides for developers and sysadmins at Opensourceflare✨
- Join my Patreon to support independent content creators and start reading latest guides:
- How to set up Redis sentinel cluster on Ubuntu or Debian Linux
- How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
- How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
- A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
- How to protect Linux against rogue USB devices using USBGuard
Join Patreon ➔
Fig.02: Linux chage command set and unset expire date for given user account
How can I remove an account expiration date?
User can now login using ssh public key or password:
- Search for all account without password and lock them (includes sample script for FreeBSD/Linux/Sun Solaris)
- Man pages: passwd(5)
🐧 Get the latest tutorials on Linux, Open Source & DevOps via
| Category | List of Unix and Linux commands |
|---|---|
| Documentation | help • mandb • man • pinfo |
| Disk space analyzers | df • duf • ncdu • pydf |
| File Management | cat • cp • less • mkdir • more • tree |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Linux Desktop Apps | Skype • Spotify • VLC 3 |
| Modern utilities | bat • exa |
| Network Utilities | NetHogs • dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • glances • gtop • jobs • killall • kill • pidof • pstree • pwdx • time • vtop |
| Searching | ag • grep • whereis • which |
| Shell builtins | compgen • echo • printf |
| Text processing | cut • rev |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Comments on this entry are closed.
how to lock the file or directory so that others cant even open it
change the file permissions….
#chmod 777
for full permissions rwx
and
#chmod 700
so that no can able to access in your files or dir. then user means u have the full permissions but others do not…
once you have locked an account, is there any way to view a comfirmation of some sort of that locked account? Or even better print an account showing its locked somehow?
say for audit purposes?
jamie, you can get a list of locked accounts with the passwd command:
$ sudo passwd -Sa | awk ‘($2 == “L”)’
I tried your command and I got an invalid option
sudo passwd -Sa | awk ‘($2 == “L”)’
option requires a username and unknow option with -S
Just wondering if there was something I am missing. We are on Red Hat Enterprise servers.
Still works for me. I’m on Ubuntu 10.04. Maybe you have a different version of the passwd command?
-a is not an option for CentOS 6 version of passwd.
IS any way can display the message if the “Account is Locked Plsease Contact Systems Dept” when account is locked by the pam_d module in the Linux
@Karthik: setting the expiration date (chage -E 1), but NOT locking the password (i.e. don’t use usermod -L) gives the behavior you want: when a user attempts to login, and provides their password or ssh-key, they get the message (on Ubuntu10.10 anyway):
Your account has expired; please contact your system administrator
also using
usermod -L username
Is any way to lock the account automatically which is not used for more than 20 days.
here’s a first try:
lastlog -b 20 | tail -n +2 | cut -d ‘ ‘ -f 1 | xargs -n1 echo usermod -L
That locks any account not logged into for 20 or more days. Note that “logged into” seems to mean pseudo terminal and ssh logins, but not GUI logins (for Gnome/GDM in Ubuntu anyways).
Is it possible to have an account as non login account on Linux, Solaris or HPUx.
As on Solaris10, we can have an account with non login or no passwd.
e.g
# passwd -N testuser
passwd: password information changed for testuser
–> Show password attributes
# passwd -s testuser
gmb NL
–> Shadow file entry
# grep “^testuser:” /etc/shadow
testuser:NP:12683.
You will notice that the user’s original password has been removed and replaced with the string “NP”. This account is now a non-login account and the original password has been discarded. You will not be able to login to this account, but the account will be able to make use of delayed execution facilities. To re-enable an account for interactive logins, simply reassign a password to the account using the passwd(1) command.
Nopes The above wont lock a account, It i will lock the password only.
If the user has ssh-keys set.. he is still able to log into the account.
Arpit is correct: usermod -L only prevents password logins. I
looked into this and found another easy solution, but there are some
caveats.
Looking at the man page for usermod, the -L entry says:
Note: if you wish to lock the account (not only access with a password),
you should also set the EXPIRE_DATE to 1.
But BE CAREFUL: moduser can change the expire date with -e, but that
options expects a YYYY-MM-DD formatted date, and if you do
IT SETS THE EXPIRATION DATE TO THE CURRENT DATE! In conjunction with
the confusing documentation, this seems like a major bug to me …
Now, there are at least two ways to set the expire date to the “1”
that the usermod man page suggests. But first, what does “1” mean?
According to the shadow and chage man pages, it’s the number of days
since 1 January 1970 (the unix epoch). So, the point is that (1+1)
January 1970 is in the past, and actually any VALID date in the past
would effectively lock the account.
Another WARNING: but don’t think you can simply set the date
arbitrarily: dates before 1 Jan 1970 are not valid, and passing such a
date to usermod appears to succeed, but then /etc/shadow is corrupted
and subsequent commands, INCLUDING usermod, can not edit
’s entry (e.g. chage will add a second entry for that user
and pwck will suggest you delete the entry with the bad date!).
OK, so how to set the expire date correctly? Two easy ways:
1. with chage: chage -E 1 . then use chage -l to see that
the expiration date is in the past.
2. with usermod: usermod -e 1970-01-02 .
If you screw something up (e.g. by passing usermod a date before 1
January 1970), you can edit /etc/shadow manually with vipw -s.
Thanks again to Arpit for pointing out that usermod -L was not really
locking the accounts.
Источник
