How to Restrict Log In Capabilities of Users on Ubuntu

The basics of system administration are configuration and management of users and groups. Here, we will be discussing about authentication logging and monitoring of system entities.

By the end of this tutorial, you will be able to understand the concepts behind user management, monitoring and authentication logging. Also, we will show you how to restrict the login capabilities of certain users associated with particular services and not for regular purposes.

You can apply this information to other Linux distributions as well, because the fundamentals remain the same.

 

Restricting Access with /etc/passwd

 

If you need to restrict the login capabilities, you may want to set account’s login shell to a particular value. Example: the user ‘messagebus’ in the file “/etc/passwd”.

less /etc/passwd | grep messagebus
messagebus:x:102:104::/var/run/dbus:/bin/false

From the above snippet, the final value is that of the shell or command that was run when login is successful. Here, the value is set as “/bin/false”.

Suppose we want to log in to messagebus user as root:

sudo su messagebus

Nothing happens and we are not switched as new user.

If we try to log in to sshd user:

sudo su sshd

You will get the warning message as follows:

This account is currently not available.

This is because the shell for sshd is set as shown below – ‘/usr/sbin/nologin’.

less /etc/passwd | grep sshd
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin

Similarly, we can restrict a user’s login capability by changing the shell to some dummy values. Usermod is the tool that we can use for accomplishing this:

sudo usermod -s /usr/sbin/nologin username

You will have to replace the username with proper values.

 

Restricting Access with /etc/shadow

On similar lines, yet another method for restricting log in capabilities is by using the ‘/etc/shadow’ file. This is the file that contains hashed password values for all the users on the system. You can view its contents using this command:

sudo less /etc/shadow
root:$6$r79Dod3Y$3hi3QklpGEQMxwQGEss4ueNNPkoUrqUe3SwyAacaxl.Lmgq1r9i4mTblV1z6NfKMNXH1Cpnq.4iKhOiQd7Riy1:15953:0:99999:7:::
daemon:*:15455:0:99999:7:::
bin:*:15455:0:99999:7:::
sys:*:15455:0:99999:7:::
sync:*:15455:0:99999:7:::
games:*:15455:0:99999:7:::
man:*:15455:0:99999:7:::
. . .

 

In the above snippet, the first line contains the hashed password values of users in the second field. You can notice the asterisk (*) sign in the second field for system accounts. That is because, those system accounts do not have a password set and they will not be able to authenticate using passwords.

 

For restricting access, we can disable the password value using an exclamation mark (!) before the hashed value. This can be done by locking the specific account. The passwd command with –l flag will lock and –u flag will unlock account again.

sudo passwd -lusername
sudo less /etc/shadow | grepusername
username:!$6$vpNJ3oFe$5GSh2aU2BDcpdjvQeNFzh0zTgyRUl26x4dn77mFE/vaoXwd19m7okX44jO8TWaVqNRL8vUVTAcZVmgUT8dR.4.:15953:0:99999:7:::

 

The account is invalid as you can see an exclamation mark (!) before the hashed password value. You can unlock the account again if you want using the command:

sudo passwd -uusername

Similarly, usemod command also can be used for locking and unlocking using -L and -U flags.

sudo usermod -L username
sudo usermod -U username

However, this method of restricting access will lock password based logins only.  SSH connections or logins without passwords may still work as usual.

 

Restricting Access with /etc/nologin

In certain situations, you may be forced to disable all accounts other than root. For example, take an instance where more than one user account has been compromised. In such extreme cases, you can disable all accounts except root by creating a file ‘/etc/nologin/’.

sudo touch /etc/nologin
sudo sh -c 'echo "Planned maintenance. Try again later at 1545 UTC" > /etc/nologin'

 

You can either leave the file blank or can add any particular message echoing ‘planned maintenance’ or something. When a user tries to log in, the contents of this file will be returned to the user. Empty file will just dump the user back to his local shell without any warning. This is done for preventing any account that doesn’t have superuser privileges from logging in to your server.

[email protected]
[email protected]'s password:
Planned maintenance.  Log in capabilities will be restored at 1545 UTC
Connection closed by host

Root user can still log in and execute as normal. When it’s time to remove the login restriction, you just have to remove the /etc/nologin file that was created.

sudo rm /etc/nologin

 

support2 has written 111 articles

Leave a Reply