How do you tell if a user is "allowed to log in" on Linux?
Solution 1:
A lot of this depends on your definition of "log in" -- technically any user who exists in /etc/passwd
& /etc/shadow
is a "valid user" and could theoretically log in under the right set of circumstances.
The methods you're talking about fall into the following broad categories:
Users with "locked" accounts
A user whose password is set to*
,!
, or some other hash that will never match is "locked out" (in the Sun days the convention was often*LK*
, for "Locked").
These users can't log in by typing a password, but they can still log using other authentication mechanisms (SSH keys, for example).Users with a "non-interactive" shell
A user whose account has a "non-interactive shell" (/bin/false
,/sbin/nologin
) can't log in interactively -- i.e. they can't get a shell prompt to run commands at (this also prevents SSH command execution if the user has SSH keys on the system).
These users may still be able to log in to do things like read/send email (via POP/IMAP & SMTP AUTH). Setting a non-interactive shell for users who should never need to use the shell (and for most "service accounts") is generally considered good practice.
So depending on your criteria for "able to log in" you may want to check one or both of these things.
Solution 2:
There is a difference between disabling the user and setting the shell to /bin/false or similar.
Setting the shell to /bin/false prevents the user from getting a shell, but they can still log in to the system if local users are used for something else (mail authentication, ftp, and so on). Disabling the user makes it impossible for him to use any services of the server that use local users.
Solution 3:
In addition to the above, users may be locked out from a system even though their password entry looks correct using several different methods.
/etc/security/access.conf can be used to limit who can log in.
There are many PAM modules that can be configured to restrict specific users, or modify login behavior based on need. (i.e. no home directory on the server disallows login.)