8

From man usermod:

Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1.

  • Why should we expire a locked account to totally prevent access to the account?
  • What will happen if I do not expire a locked account?
muru
  • 197,895
  • 55
  • 485
  • 740
Sinoosh
  • 2,031

2 Answers2

13

usermod -L actually only locks the user's password, so user still is able to login using other methods for example an ssh session which uses public key authentication.

But if you set the EXPIRE_DATE to 1 the account will be expired entirely and the user is not able to use it in any way. This is because 1 is equal to it expiring at1970-01-01 00:00:01.

Tim
  • 32,861
  • 27
  • 118
  • 178
Ravexina
  • 55,668
  • 25
  • 164
  • 183
2

Because ssh keys don't care about passwords you need the account to die instead.

The old wisdom was change the user's shell to /bin/false; however this doesn't actually work.

Joshua
  • 709
  • 3
  • 8