nologin
Prevent user logins to the system
TLDR
Set a user's login shell to nologin to prevent the user from logging in
Customize message for users with the login shell of nologin
SYNOPSIS
nologin
DESCRIPTION
The nologin command, typically located at /usr/sbin/nologin, is a special shell program designed to prevent direct interactive login access for a user account. When a user's login shell in /etc/passwd is set to nologin, any attempt by that user to log in via mechanisms like login(1) or sshd(8) will be denied. Instead of granting a shell prompt, nologin displays a configurable message (by default, "This account is currently not available.") to the user and then immediately exits with a non-zero status, effectively terminating the login attempt. This utility is widely used for system accounts (e.g., daemon, bin, nobody) that do not require interactive shell access, for accounts that are temporarily disabled, or for accounts dedicated to specific services (e.g., an FTP-only user). It acts as a simple yet effective security measure by limiting potential attack surfaces and ensuring that even if a user's password becomes compromised, an attacker cannot gain a shell on the system.
CAVEATS
Using nologin only prevents interactive shell access. It does not prevent access to other services (such as FTP, Samba, Web services, or mail) if those services are separately configured to allow access for the account. Additionally, it does not inherently prevent a user from executing commands via sudo if their sudoers configuration permits it. It is not a substitute for robust security practices like strong passwords and proper file permissions.
USAGE
To set nologin as a user's shell, you can use:
sudo usermod -s /usr/sbin/nologin username
When creating a new user:
sudo useradd -s /usr/sbin/nologin newuser
Alternatively, a user can change their own shell (if permitted) using:
chsh -s /usr/sbin/nologin
CUSTOMIZING THE MESSAGE
By default, nologin displays a generic message. To customize this message, create a file named /etc/nologin.txt. The contents of this file will be displayed to the user upon a failed login attempt instead of the default message.
COMPARISON WITH <B>FALSE(1)</B>
While false(1) can also be used as a login shell to deny access (as it simply exits with a non-zero status), it provides no message to the user, making the reason for login failure less clear. nologin offers a more user-friendly experience by explicitly informing the user that their account is unavailable.
HISTORY
The concept of a 'nologin' shell has been a fundamental part of Unix-like operating systems for decades, providing a simple and standardized way to disable interactive login access for specific user accounts. Its core functionality has remained consistent over time, serving as a basic but essential tool in user account management and system security.