Pages

Saturday, June 16, 2012

Completely disable a RHEL user account


How to completely disable a RHEL user account?

Issue
We would like to know the correct way to disable all remote access to an account. Clearly, "passwd -l" (and by the same token, "usermod -L") is insufficient because that will not impact authentication by SSH public key (or other PAM modules other than pam_unix that may be enabled).
Additionally, changing the shell to /bin/false or /sbin/nologin is unsatisfactory since this only affects interactive logins.
Environment
  • Red Hat Enterprise Linux (RHEL) 3, 4, 5, 6
Resolution
Expiring the account via the chage utility (e.g. "chage -E 1 " will disable all access methods that use pam authentication.
Root Cause
Changing the shell (eg to /bin/false) is not recommended because this will only prevent interactive shell sessions for the user; since (eg) ssh port-forwarding does not require a shell (when invoked with -N option), changing the shell will not prevent users from getting authenticated and starting port forwarding.
Likewise, simply using the old "passwd -l" or "usermod -L" methods of locking accounts only blocks authentication that uses the password stored in the local passwd file. Since other authentication methods are becoming more and more popular (most notably, ssh public key authentication), this method is clearly unacceptable.
Making the account expired vua "chage -E" will block all access methods that use PAM authentication.

!Hope this will Help
Kuldeep Sharma