In this article I will share different methods to check the lock status of a user in Linux or Unix environment. Using these commands and methods you can identify if your user is locked and needs to be unlocked.
The user would need root level access or sudo access to execute most of the commands explained in this tutorial.
Case 1: Password Locked
In this case the password of any account is locked using the below command
To lock the password
# passwd -l user1 Locking password for user user1. passwd: Success
Review the status in /etc/shadow
# grep user1 /etc/shadow user1:!!$6$ciJaoDR9$Qpt9sctRLjbZ4/Agxy9UOvu/XQqNrFo9rpgfZ/xrF/8JphkEvF29ITpef0SVLdJcrpv8Q/.6mRAHee4tZT0r11:16299:0:99999:7:::
As you can see above two exclamation mark (!!
) before the encrypted password which means that the password has been locked
To unlock the password
# passwd -u user1 Unlocking password for user user1. passwd: Success
Case 2: Account is Locked
In this case the user account might have been locked by the administrator
To lock an account
# usermod -L user1
Review your /etc/shadow
file for the changes
# grep user1 /etc/shadow
user1:!$6$ciJaoDR9$Qpt9sctRLjbZ4/Agxy9UOvu/XQqNrFo9rpgfZ/xrF/8JphkEvF29ITpef0SVLdJcrpv8Q/.6mRAHee4tZT0r11:16299:0:99999:7:::
As you see an extra single exclamation mark(!
) appeared in the password section before the encrypted password starts which signifies that the user account is locked
To unlock a user account
# usermod -U user1
Case 3: Password never set
This can also be the scenario where the administrator has not assigned any password due to which the user is not able to login
So to verify this again you need to check your /etc/shadow
file
# grep user1 /etc/shadow
user1:!!:16299:0:99999:7:::
As you see two exclamation mark(!!
) is there but no encrypted password which means a password is not set.
If the password was set without lock your /etc/shadow
would look like something below
# grep user1 /etc/shadow
user1:$6$ciJaoDR9$Qpt9sctRLjbZ4/Agxy9UOvu/XQqNrFo9rpgfZ/xrF/8JphkEvF29ITpef0SVLdJcrpv8Q/.6mRAHee4tZT0r11:16299:0:99999:7:::
How to Lock and Unlock Linux User Account?
We can lock a user account using usermod
command with -L
argument.
usermod -L <username>
To unblock user in such situation you can use usermod -U <username>
.
usermod -U user1
Different methods to check the lock status of any Linux Account
1. Using passwd -S
Command
We can use passwd -S
command to check the lock status.
passwd -S user1
Output from Rocky Linux where we can see user's password is locked.
Output from Ubutnu environment, Here L
means the user account is locked.
If the user account is unlocked you will output like below on Rocky Linux:
Output from Ubuntu when user account is unlocked, Here P
means that account is unlocked.
2. Checking Lock Status Using /etc/shadow
File
You can grep or search for your user inside /etc/shadow file and look for !
symbol in the second field of the user's row. The !
(exclamation mark) symbol indicates that user account is explicitly locked by someone.
root@server:~# grep user1 /etc/shadow
user1:!$y$j9T$hO.2hCqDZq3IzYpqJzR0r0$NYFsfk.iFBPk4okUl0oHAtHPyjAE9B7D5XSanW70LW6:20004:0:99999:7:::
If ! is missing then that would mean that user account is in unlock state.
!
or *
as ! indicates that user account is locked and * indicates that user account is disabled.
3. Check if account is locked due to wrong password
It is possible that your system is configured to use pam_tally2
or faillock
to implement user lockout when the user attempts to login with failed or incorrect password n number of times.
You can refer to these article which cover the usage and implementation of faillock:
- pam_faillock: lock user account after X failed login attempts in Linux
- pam_tally2: lock user account after X failed login attempts in Linux
In such cases depending upon the tool you are using, for example in my case faillock
command to check the number of failed login attempts:
faillock --user user1
This command will show the failed login attempts for user1
:
Next you can check your configuration for maximum failed login allowed before locking the user
grep faillock /etc/pam.d/system-auth
You may have to check this in /etc/pam.d/system-auth
, /etc/pam.d/password-auth
and /etc/pam.d/common-auth
depending upon your distro and requirement.
For example in my case I have setup default value as 5 so after 5 failed login attempts, the user will be locked:
[root@server ~]# grep faillock /etc/pam.d/system-auth
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
account required pam_faillock.so