disabling user accounts
There are several ways to disable a user account, either temporarily or
permanently, with or without the ability to restore the account as it was.
Basically they amount to changing either the password or the shell, that is,
changing those fields in the /etc/shadow and /etc/passwd files respectively.
The exercise to perform
Operate as root. Make a backup copy of an important file you're going to edit:
cp /etc/shadow ~ ( ~ is shorthand for "home directory of the current user")
Create two fresh users
useradd jack
useradd jill
Look at the resulting passwords. They're in the 2nd field in the new records at the bottom of the shadow file:
tail /etc/shadow
In a different virtual terminal, (ctrl-alt-Fn) try to log in as jack and/or jill.
[note: an alternative to the ctrl-alt-Fn key combination is the chvt command with n as argument. If you have invoked a GUI desktop, and you depart from it to a character-mode virtual terminal n by pressing ctrl-alt-Fn, ctrl-alt-F7 takes you back to your GUI. If in VMware, which uses the combination ctrl-alt for its own purposes, it's ctrl-alt-space then lift space and hit Fn while keeping ctrl and alt down.]
Disabling by manipulating the user's password
Now create the password "hello" for jill:
passwd jill
In the other virtual terminal, test that you can now log in as jill. Use an editor. I suggest gedit, a graphical editor that's easy to use. If you use it though, you must do so as root for this exercise to work (if you are not sure how to make that happen ask the instructor). Copy the contents of jill's password field into jack's. Remove whatever may have been in jack's password field till now. Now test that you can log in as jack, using the same password as jill ("hello").
Let's change jack's password to "goodbye" by replacing his /etc/shadow password field accordingly. Accordingly?? What should the hashed/scrambled version of "goodbye" be? That's what the field requires. Run this command interactively, supplying "goodbye" as password.
grub-md5-crypt [note:
or try echo "password"|openssl passwd -1 -stdin]
It will produce and display the hashed version of the password. Edit this into jack's password field (carefully!) then check he can log in with password "goodbye".
So, disabling a user account could be done by simply disturbing the content of the password field. Any change you made there would change the password the user must supply, and render the password that the user knows inoperative and useless. The passwd command can do this for you.
passwd -l jack
Now look at jack's password field.
passwd -u jack
Now look again. -l and -u stand for lock and unlock. Because "locking" just inserts two characters, it leaves the door open to reversal. Just remove the two extra characters you introduced. (If you totally deleted the old password, you could not administratively restore the old password.)
Disabling by manipulating the user's called shell
Another way to disable an account is to replace "/bin/bash" as the user's shell with some other program that does little or nothing and just quits. There will be no command prompt (that's a creature of bash-- no bash, no prompt). Two such programs are /bin/false, which just quits without doing anything. And /sbin/nologin which quits after printing an advisory message. To see the behavior, run both as normal commands at the prompt:
false
nologin
Now edit /etc/passwd, replacing the final field in jack's record with "/bin/false" and jill's record with "/sbin/nologin". Use the usermod command, which will do it for you automatically:
usermod -s /bin/false jack
usermod -s /sbin/nologin jill
tail /etc/passwd
su jack
su jill
(The user's shell is invoked when you run su, so that's another way to test it, in addition to logging in directly at a virtual terminal.)
Clean up:
userdel -r jack
userdel -r jill
rm ~/shadow