3 Different ways to disable a system account on Linux

There are different ways to disable a system user account on Linux:

Lock user

The most straight forward way is to explicitly disable or lock the user using the usermod -L command.

Example:

usermod -L someuser

Disabling the user this way will cause the user to be unable to authenticate. Note, it will not prevent root from using su to change to this user.

In practice, what this means is that a ! is added to the beginning of the password column in /etc/shadow.

To enable or unlock the user, use the usermod -U command.

Example:

usermod -U someuser

Alternatively, the passwd command may be used to lock/unlock the user.

This has the same effect.

To lock a user, run:

passwd -l someuser

To unlock the user, run:

passwd -u someuser

Another option is to expire the user account. This is done using the chage command.

To expire a user, run:

chage -E 0 someuser

This will set the account to expire at the Unix epoch – Jan 1, 1970.

Alternatively, the account can be set to expire at a specific date like this:

chage -E YYYY-MM-DD someuser

When the account is expired, it cannot authenticate. Additionally, it is not possible to change to the user using su.

If root tries to su to the expired account, they will get this error:

Your account has expired; please contact your system administrator.
su: Authentication failure

Another option is change the user shell to nologin.

This is done using either:

usermod -s /usr/sbin/nologin someuser

chsh /usr/sbin/nologin someuser

Attempting to login as a user with nologin shell produces this error:

This account is currently not available.

If root tries to su to the user, a message is logged to syslog:

Attempted login by root (UID: NNNNN) on /dev/pts/0