How to find all ways in which a Unix user account is locked
Solution 1
You can use passwd
to gather some information e.g. if an account is locked
passwd -S user
user LK 2012-11-06 0 99999 7 -1 (Password locked.) (CentOS)
user L 01/22/2013 0 99999 7 -1 (Ubuntu)
The chage
utility will provide information about the various timers on an account e.g. for an unexpired password
chage -l user
Last password change : Nov 12, 2012
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
for an expired password
chage -l user
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 22
Number of days of warning before password expires : 33
The passwd
and chage
utilities also list many of the account locks.
You can use getent
to pull the information directly from the relevant database for examination
getent passwd user
user:x:505:505::/home/passtest:/sbin/nologin <-- denied login
getent shadow user
user:!!:0:0:22:33:44:: <-- this is locked
Solution 2
In general: no.
Iain's answer is a good summary of how to query the password aging systems, but missed out all sorts of things. For example:
- Someone trying to log in via ssh could be prohibited by directives in the
sshd
configuration. - A system may be configured to only allow members of a certain netgroup to login.
- The local
PAM
configuration may require explicit group membership to log in, or may only permit a particular list of users. - What looks like a locked account may turn out to be home directory access problems.
- Someone may have created
/etc/nologin
, which for some applications (e.g.,ssh
) will lock out all users.
In other words, there are many ways for an account to be locked out that have nothing to do with the passwd
file. Your best bet is to check /var/log/secure
or the distribution-appropriate local analog.
Solution 3
In addition to the aforementioned, passwd
chage
and getent
, there's also pam_tally2
If the number of failed login attempts is above the allowable limit (which is set in /etc/pam.d/password-auth), you'll have to do pam_tally2 --user=foo --reset
before they can login again.
wfaulk
Unix admin since '96 Network admin since '97 Jack-of-All-Trades since '91 Computers I've owned over the years: TI 99/4A Apple //c homebuilt PC-compatible 8088 Gateway 2000 486SX-25 homebuilt Pentium II Sun SparcStation 1+ Sun Enterprise 2 WinBook XL2 Apple Power Macintosh G3 Minitower IBM Netfinity 3000 homebuilt Intel Pentium → AMD K6-2 Sun Ultra 80 SGI Octane SGI O2 Apple iBook G3 (Graphite) Sony Vaio PCG-Z1WA laptop Apple Mac Mini G4 Apple MacBook Pro 17 Apple Mac Mini Intel Dell Poweredge T610
Updated on September 18, 2022Comments
-
wfaulk over 1 year
I occasionally find myself in a situation where an undermaintained system has an account that's been locked out. The problem is that there are a variety of ways in which an account can be locked out, each with their own method of being unlocked.
It's not that the account is being locked improperly, just unexpectedly, but finding the correct lock to reset is difficult.
My most recent attack of this problem was on a SUSE system, and it turned out that the password had expired (which wasn't initially known because the login attempts were not through a system that provided that sort of feedback), and then also locked due to failed login attempts.
Is there a list somewhere of all of the different possible account locks and how to disable them? I'm intending for actual brokenness, such as home directory access problems, corrupt PAM libraries, etc., to be out of scope for this question.
-
wfaulk about 11 yearsI was intending my question to assume that things were not "broken" and that the user had been able to log in before. That is, that some system functioning properly locked out the account. These are good points, but I'll update the question to be a little more explicit.
-
wfaulk over 7 yearsThat only checks one of the ways in which an account can be locked.