How to find all ways in which a Unix user account is locked

Solution 1

You can use passwd to gather some information e.g. if an account is locked

passwd -S user
user LK 2012-11-06 0 99999 7 -1 (Password locked.) (CentOS)
user L 01/22/2013 0 99999 7 -1 (Ubuntu)

The chage utility will provide information about the various timers on an account e.g. for an unexpired password

chage -l user
Last password change                                    : Nov 12, 2012
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

for an expired password

chage -l user
Last password change                                    : password must be changed
Password expires                                        : password must be changed
Password inactive                                       : password must be changed
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 22
Number of days of warning before password expires       : 33

The passwd and chage utilities also list many of the account locks.

You can use getent to pull the information directly from the relevant database for examination

getent passwd user
user:x:505:505::/home/passtest:/sbin/nologin  <-- denied login
getent shadow user
user:!!:0:0:22:33:44::   <-- this is locked

Solution 2

In general: no.

Iain's answer is a good summary of how to query the password aging systems, but missed out all sorts of things. For example:

• Someone trying to log in via ssh could be prohibited by directives in the sshd configuration.
• A system may be configured to only allow members of a certain netgroup to login.
• The local PAM configuration may require explicit group membership to log in, or may only permit a particular list of users.
• What looks like a locked account may turn out to be home directory access problems.
• Someone may have created /etc/nologin, which for some applications (e.g., ssh) will lock out all users.

In other words, there are many ways for an account to be locked out that have nothing to do with the passwd file. Your best bet is to check /var/log/secure or the distribution-appropriate local analog.

Solution 3

In addition to the aforementioned, passwd chage and getent, there's also pam_tally2

If the number of failed login attempts is above the allowable limit (which is set in /etc/pam.d/password-auth), you'll have to do pam_tally2 --user=foo --reset before they can login again.

Author by

wfaulk

Unix admin since '96 Network admin since '97 Jack-of-All-Trades since '91 Computers I've owned over the years: TI 99/4A Apple //c homebuilt PC-compatible 8088 Gateway 2000 486SX-25 homebuilt Pentium II Sun SparcStation 1+ Sun Enterprise 2 WinBook XL2 Apple Power Macintosh G3 Minitower IBM Netfinity 3000 homebuilt Intel Pentium → AMD K6-2 Sun Ultra 80 SGI Octane SGI O2 Apple iBook G3 (Graphite) Sony Vaio PCG-Z1WA laptop Apple Mac Mini G4 Apple MacBook Pro 17 Apple Mac Mini Intel Dell Poweredge T610

Updated on September 18, 2022