nologin Command in Linux
The nologin command in Unix and Linux systems is specifically designed to prevent a user from logging into the system. When this command is executed, the user is effectively restricted from logging in, whether locally or remotely. However, the account remains active, allowing it to perform other functions such as running scheduled jobs (cron jobs) or system processes.
Disabling User Login using nologin Command
The primary objective of nologin is to disable user login. By setting a user's shell to /sbin/nologin (or a similar path), the system ensures that the user cannot log in via terminal, SSH, or any other login service. This is particularly useful for service accounts or accounts that should not have shell access.
When a user tries to log in to an account with nologin set as their shell, the system checks for the existence of the /etc/nologin.txt file. If this file exists, the contents of the file are displayed as a message to the user. This allows administrators to provide a custom message, such as "Login is disabled for this account. Please contact the system administrator."
If the /etc/nologin.txt file does not exist, the system defaults to a standard message, like "This account is currently not available." This ensures that users are informed of the login restriction even if no custom message is set.
Many system accounts, such as those for daemons or services, use /sbin/nologin as their shell since they are not intended to log in interactively. This ensures these accounts can perform their necessary functions without allowing user access.
In addition, the nologin command exits with a non-zero status. This means that any login attempt to an account with nologin as the shell will fail, and the system will register this attempt as unsuccessful.
Table of Contents
Here is a comprehensive guide to the options available with the nologin command −
Setting nologin for a User
To set up nologin for a user, you can modify the user's shell to /sbin/nologin (or /usr/sbin/nologin depending on your system). This is an effective way to prevent a user from logging into the system, while still keeping their account active for other functions.
To get started, open your terminal and use the usermod command to change the user's shell to nologin. Replace username with the actual user's name −
sudo usermod -s /sbin/nologin username
This command sets the shell for the specified user to nologin, effectively preventing them from logging in interactively.
To ensure that the user's shell has been updated, you can check their entry in the /etc/passwd file or use the getent command −
sudo getent passwd username
This command shows /sbin/nologin as the user's shell, confirming that they cannot log in.
Example of nologin Command in Linux
Let's say you have a user named Tutorialspoint. You need to prevent Tutorialspoint from logging into the system but want to keep their account active for running certain scheduled jobs. Here's how you can do it −
Modify the Shell
Open the terminal and execute the following command −
sudo usermod -s /sbin/nologin Tutorialspoint
Check the change: Run the getent command to verify the shell assignment −
sudo getent passwd Tutorialspoint
Create a Custom Message
If you want to display a custom message when Tutorialspoint attempts to log in, you can simply create or edit the /etc/nologin.txt file −
echo "Login is disabled for this account. Please contact the system administrator." | sudo tee /etc/nologin.txt
With these steps, Tutorialspoint will not be able to log in interactively, and if they attempt to do so, they will see the custom message informing them that their login is disabled.
This approach ensures that the user account remains active for necessary background processes while preventing any interactive login access.
If you want to revert the changes after disabling a user account, it is quite simple. You just need to reset the user's shell to a standard login shell, such as /bin/bash or /bin/sh. Here's how you can do it −
Use the usermod command to change the user's shell back to a standard login shell. Replace Tutorialspoint with your actual user's name:
sudo usermod -s /bin/bash Tutorialspoint
This command sets the shell for the specified user to /bin/bash, allowing them to log in normally.
To ensure that the user's shell has been updated, you can check their entry in the /etc/passwd file or use the getent command −
sudo getent passwd Tutorialspoint
Conclusion
The nologin command is a valuable tool for managing user access in Unix and Linux systems. It effectively disables interactive logins while allowing accounts to remain active for background tasks, such as cron jobs or service processes. This makes it especially useful for system and service accounts that don't require login access.
By modifying a user's shell to /sbin/nologin, you can easily prevent unauthorized logins while maintaining account functionality. The ability to display a custom message enhances system communication, ensuring users understand the restrictions.