nologin

Set a user's login shell to nologin to prevent the user from logging in

$ chsh [[-s|--shell]] [user] nologin

$ echo "[declined_login_message]" > /etc/nologin.txt

nologin

The nologin command, typically located at /usr/sbin/nologin, is a special shell program designed to prevent direct interactive login access for a user account. When a user's login shell in /etc/passwd is set to nologin, any attempt by that user to log in via mechanisms like login(1) or sshd(8) will be denied. Instead of granting a shell prompt, nologin displays a configurable message (by default, "This account is currently not available.") to the user and then immediately exits with a non-zero status, effectively terminating the login attempt. This utility is widely used for system accounts (e.g., daemon, bin, nobody) that do not require interactive shell access, for accounts that are temporarily disabled, or for accounts dedicated to specific services (e.g., an FTP-only user). It acts as a simple yet effective security measure by limiting potential attack surfaces and ensuring that even if a user's password becomes compromised, an attacker cannot gain a shell on the system.

Using nologin only prevents interactive shell access. It does not prevent access to other services (such as FTP, Samba, Web services, or mail) if those services are separately configured to allow access for the account. Additionally, it does not inherently prevent a user from executing commands via sudo if their sudoers configuration permits it. It is not a substitute for robust security practices like strong passwords and proper file permissions.

To set nologin as a user's shell, you can use:
sudo usermod -s /usr/sbin/nologin username
When creating a new user:
sudo useradd -s /usr/sbin/nologin newuser
Alternatively, a user can change their own shell (if permitted) using:
chsh -s /usr/sbin/nologin

By default, nologin displays a generic message. To customize this message, create a file named /etc/nologin.txt. The contents of this file will be displayed to the user upon a failed login attempt instead of the default message.

While false(1) can also be used as a login shell to deny access (as it simply exits with a non-zero status), it provides no message to the user, making the reason for login failure less clear. nologin offers a more user-friendly experience by explicitly informing the user that their account is unavailable.

The concept of a 'nologin' shell has been a fundamental part of Unix-like operating systems for decades, providing a simple and standardized way to disable interactive login access for specific user accounts. Its core functionality has remained consistent over time, serving as a basic but essential tool in user account management and system security.

passwd(5), chsh(1), login(1), sshd(8), useradd(8), usermod(8), false(1), true(1)