How To Restrict Log In Capabilities of Users on Ubuntu

Introduction

A fundamental part of system administration is configuring and managing users and groups. Part of this task involves monitoring the log in capabilities of all system entities.

In this guide, we will introduce the ideas behind user management and authentication logging.

We will be exploring these concepts on a Ubuntu 22.04 server, but you can follow along on any modern Linux distribution. You can set up a Ubuntu 22.04 server for this tutorial by following our guide to Initial Server Setup on Ubuntu 22.04.

As mentioned in the previous tutorial in this series, some of the users on your server may be associated with services, and are not intended to be used as regular accounts.

In this section, you will review how to restrict the login capabilities of these users in a number of ways.

How To Restrict Access With /etc/passwd

One method of restricting the login capabilities is to set the account’s login shell to a special value.

An example of this is the messagebus user, which you can use grep to search for within the /etc/passwd file:

less /etc/passwd | grep messagebus

Output
messagebus:x:102:105::/nonexistent:/usr/sbin/nologin

The final value is the shell or the command that is run when the login is successful. In this case, the value is set to /usr/sbin/nologin.

If you try to switch to the messagebus user using sudo su, it will fail:

sudo su messagebus

Output
This account is currently not available.

You receive this message because the shell for messagebus is set to /usr/sbin/nologin.

You can use the usermod tool to change a user’s default login shell (usually /bin/bash) to a nonexistent shell like nologin when you need to prevent them from logging in.

sudo usermod -s /usr/sbin/nologin username

How To Restrict Access With /etc/shadow

Another, similar method of restricting access is to use the /etc/shadow file. This file contains the hashed password values of every user on the system.

You can use less to view the entire file:

sudo less /etc/shadow

Output
. . .
uuidd:*:19105:0:99999:7:::
tcpdump:*:19105:0:99999:7:::
sshd:*:19105:0:99999:7:::
pollinate:*:19105:0:99999:7:::
landscape:*:19105:0:99999:7:::
lxd:!:19180::::::
sammy:$y$j9T$4gyOQ5ieEWdx1ZdggX3Nj1$AbEA9FsG03aTsQhl.ZVMXatwCAvnxFbE/GHUKpjf9u6:19276:0:99999:7:::

The second field (the one starting with $y$j9T$4gyO… in the last line) contains the hashed password value.

The system accounts have an asterisk (*) instead of a complex hash value. Accounts with an asterisk in the second field have not had a password set and are not able to authenticate by password without changing this.

You can disable a password value (in effect, making an account with a password equivalent to the asterisk value), by preceding the hash value with an exclamation point (!).

Two tools can do this by “locking” the specified account.

The passwd command can be locked with the -l flag and unlocked with the -u flag:

sudo passwd -l sammy

sudo less /etc/shadow | grep sammy

Output
sammy:!$y$j9T$4gyOQ5ieEWdx1ZdggX3Nj1$AbEA9FsG03aTsQhl.ZVMXatwCAvnxFbE/GHUKpjf9u6:19276:0:99999:7::::::

As you can see, the hashed password is retained, but made invalid by placing a ! in front of it.

The account can be unlocked again by typing:

sudo passwd -u sammy

Equivalent operations are available using the usermod command. The corresponding flags are -L for locking, and -U for unlocking:

sudo usermod -L sammy
sudo usermod -U sammy

How To Restrict Access With /etc/nologin

There may be some situations when you need to disable all account logins, other than root.

This could be because of in-depth maintenance, or because one or more of your user accounts has been compromised.

In any case, this can be accomplished by creating a file at /etc/nologin:

sudo touch /etc/nologin

This will prevent any account from logging in that does not have superuser privileges.

With an empty /etc/nologin file, this just dumps the user back to their local shell without any explanation.

What is really happening is that the contents of the file are returned to the user. If you add a message, users will receive an explanation for the login failure:

sudo sh -c 'echo "Planned maintenance. Log in capabilities will be restored at 1545 UTC" > /etc/nologin'

Now when you try to log in with a password, you will receive this message:

ssh sammy@host

Output
sammy@host's password:
Planned maintenance. Log in capabilities will be restored at 1545 UTC

Connection closed by host

Root users can still log in normally. Remove the “/etc/nologin” file to reverse the login restriction:

sudo rm /etc/nologin

Conclusion

User authentication on Linux is a relatively flexible area of system management. There are many ways of accomplishing the same objective with widely available tools.

You should now know how to restrict usage through various methods.

In the next part of this tutorial series, you will review how to monitor user logins.

sudo service ssh restart