Account Locking

Account Locking in Ubuntu

Account locking on Ubuntu works at two levels: manual locking (an administrator disables a specific account) and automatic lockout (the system automatically locks accounts after repeated failed login attempts). The automatic lockout is an important defense against brute-force password attacks and is configured through PAM.

Manual account locking

# Lock an account (prepends ! to the password hash in /etc/shadow)
sudo usermod -L irfan

# Alternative with passwd command
sudo passwd -l irfan

# Verify it's locked
sudo passwd --status irfan

passwd --status output

irfan L 2024-06-01 0 99999 7 -1
#     ^ L = locked, P = password set, NP = no password

# Unlock the account
sudo usermod -U irfan
# or
sudo passwd -u irfan

# Lock without affecting SSH key authentication
# (passwd -l and usermod -L only block password auth, not SSH keys)
# To block SSH key auth too, change the shell to nologin:
sudo usermod -s /usr/sbin/nologin irfan

# Restore shell to bash
sudo usermod -s /bin/bash irfan

📝 NOTE: usermod -L and passwd -l only prevent password-based logins. An SSH public key in ~/.ssh/authorized_keys will still work. To fully block a user from logging in via SSH, change their shell to /usr/sbin/nologin in addition to locking the password, or remove their authorized_keys file.

Automatic lockout after failed attempts

The pam_faillock module (included in libpam-modules on Ubuntu 22.04+) automatically locks accounts after N consecutive failed authentication attempts.

# Configure faillock in /etc/security/faillock.conf
sudo nano /etc/security/faillock.conf

/etc/security/faillock.conf — recommended settings

# Lock after 5 consecutive failures
deny = 5

# Reset failure count after 10 minutes of no failures
fail_interval = 600

# Keep the account locked for 15 minutes before auto-unlock
unlock_time = 900

# Do not lock root (prevents accidental root lockout)
even_deny_root = false

# Log to syslog
audit

# Enable pam_faillock in PAM configuration
# Ubuntu 22.04+: add to /etc/pam.d/common-auth

# Add BEFORE pam_unix.so:
sudo nano /etc/pam.d/common-auth

Lines to add to /etc/pam.d/common-auth

# Required before pam_unix:
auth    required    pam_faillock.so preauth silent

# After pam_unix line:
auth    [default=die]  pam_faillock.so authfail
auth    sufficient     pam_faillock.so authsucc

Understanding faillock

# Check the faillock status for a user
sudo faillock --user irfan

faillock output showing failed attempts

irfan:
When                Type  Source                                           Valid
2024-06-01 14:21:03 RHOST 192.168.1.45                                    V
2024-06-01 14:21:09 RHOST 192.168.1.45                                    V
2024-06-01 14:21:15 RHOST 192.168.1.45                                    V
# Account is now locked (3 of 5 shown)

# Manually reset (unlock) a locked account
sudo faillock --user irfan --reset

# Check all users with failed logins
sudo faillock

# View failed login attempts in auth.log
grep "pam_faillock" /var/log/auth.log | tail -10

Setting account expiry

# Set account to expire on a specific date
sudo usermod -e 2025-12-31 contractor

# Set account to expire immediately (disable now)
sudo usermod -e 1 irfan    # Epoch day 1 = Jan 2, 1970

# Remove expiry date
sudo usermod -e "" contractor

# View expiry date
sudo chage -l contractor | grep "Account expires"

Verifying lock status

# Comprehensive account status check
sudo passwd --status irfan
sudo chage -l irfan
sudo faillock --user irfan

# Check if account has an ! in /etc/shadow (locked password)
sudo grep "^irfan:" /etc/shadow | cut -d: -f2 | cut -c1
# Output: ! means locked, $ means valid password hash

Conclusion

Use usermod -L for immediate manual locking of an account when a user leaves the organization or you suspect compromise. Configure pam_faillock with deny=5 and unlock_time=900 to automatically block brute-force attacks on all accounts. Remember that password locking does not block SSH key authentication — also change the shell to /usr/sbin/nologin if you need to fully prevent login.