Practical, command-line ways to disable and re-enable Linux accounts for maintenance and security. 16.11.2025 | reading time: 3 min Control who can log in: sometimes an account must be suspended immediately, other times it must be restored; the shell and the password state are the usual levers and the shell is not the same as the password, so choose carefully. Step-by-step demo Try this sequence on a test system to see how locking works in practice: ```bash sudo useradd -m -p $(openssl passwd -6 'Secret123') alice # create user with a hashed password sudo grep '^alice:' /etc/shadow alice:$6$abcdefg:18295:0:99999:7::: sudo passwd -l alice Locking password for user alice. sudo grep '^alice:' /etc/shadow alice:!$6$abcdefg:18295:0:99999:7::: sudo passwd -u alice Unlocking password for user alice. sudo grep '^alice:' /etc/shadow alice:$6$abcdefg:18295:0:99999:7::: # expire and restore account sudo chage -E 0 alice sudo chage -l alice Account expires : Mar 15, 2025 sudo chage -E -1 alice sudo chage -l alice Account expires : never ``` When a lock is not enough A locked password merely prevents password authentication and typically prefixes the hash in /etc/shadow with an exclamation mark; it does not remove files, revoke sudo rights, or stop key-based logins, so combine methods — change the login shell to /sbin/nologin, expire the account with chage, or remove SSH keys for complete isolation. Choose the right command Use `passwd -l` and `passwd -u` for simple password toggles, `usermod -L` and `usermod -U` for the same change at the user record level, and `chage -E` to set an expiration date; in LDAP or SSSD environments perform the change where accounts are authoritative, not just on a single host. Best practices and caveats Test on a nonproduction account first, document actions in change logs, avoid locking service accounts without checking cron and systemd units, and remember that automation tools must handle unlocks safely to avoid accidental lockouts. Final thought Locking and unlocking are small operations with big effects; learn their differences and combine them wisely to protect systems, and if you want to go deeper consider formal training and certification such as CompTIA Linux+ or LPIC-1 with intensive exam preparation at bitsandbytes.academy. Join Bits & Bytes Academy First class LINUX exam preparation. security utilities processes
