How to find all ways in which a Unix user account is locked
I occasionally find myself in a situation where an undermaintained system has an account that's been locked out. The problem is that there are a variety of ways in which an account can be locked out, each with their own method of being unlocked.
It's not that the account is being locked improperly, just unexpectedly, but finding the correct lock to reset is difficult.
My most recent attack of this problem was on a SUSE system, and it turned out that the password had expired (which wasn't initially known because the login attempts were not through a system that provided that sort of feedback), and then also locked due to failed login attempts.
Is there a list somewhere of all of the different possible account locks and how to disable them? I'm intending for actual brokenness, such as home directory access problems, corrupt PAM libraries, etc., to be out of scope for this question.
You can use passwd
to gather some information e.g. if an account is locked
passwd -S user
user LK 2012-11-06 0 99999 7 -1 (Password locked.) (CentOS)
user L 01/22/2013 0 99999 7 -1 (Ubuntu)
The chage
utility will provide information about the various timers on an account e.g. for an unexpired password
chage -l user
Last password change : Nov 12, 2012
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
for an expired password
chage -l user
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 22
Number of days of warning before password expires : 33
The passwd
and chage
utilities also list many of the account locks.
You can use getent
to pull the information directly from the relevant database for examination
getent passwd user
user:x:505:505::/home/passtest:/sbin/nologin <-- denied login
getent shadow user
user:!!:0:0:22:33:44:: <-- this is locked
In general: no.
Iain's answer is a good summary of how to query the password aging systems, but missed out all sorts of things. For example:
- Someone trying to log in via ssh could be prohibited by directives in the
sshd
configuration. - A system may be configured to only allow members of a certain netgroup to login.
- The local
PAM
configuration may require explicit group membership to log in, or may only permit a particular list of users. - What looks like a locked account may turn out to be home directory access problems.
- Someone may have created
/etc/nologin
, which for some applications (e.g.,ssh
) will lock out all users.
In other words, there are many ways for an account to be locked out that have nothing to do with the passwd
file. Your best bet is to check /var/log/secure
or the distribution-appropriate local analog.
In addition to the aforementioned, passwd
chage
and getent
, there's also pam_tally2
If the number of failed login attempts is above the allowable limit (which is set in /etc/pam.d/password-auth), you'll have to do pam_tally2 --user=foo --reset
before they can login again.