How to use the command 'nologin' (with examples)
- Linux
- December 17, 2024
The nologin
command in Unix-like systems is an essential tool for system administrators who want to prevent certain users from logging into the system. Instead of completely removing a user account, which can erase important data or disrupt processes that depend on the user’s presence, changing the user’s shell to nologin
offers a more straightforward and non-destructive solution. This command can also be accompanied by a custom message to inform users why they are denied access when they attempt to log in.
Use case 1: Setting a user’s login shell to nologin
to prevent the user from logging in
Code:
chsh -s /usr/sbin/nologin username
Motivation for this use case:
In many situations, you may want to prevent a user from accessing the system without deleting their account. This can happen during temporary suspensions, for inactive accounts, or when converting service accounts that remotely perform scheduled tasks but do not require interactive login access. This approach ensures the account is preserved for historical records or system processes that may still interact with this account while preventing direct user login attempts.
Explanation for every argument given in the command:
- chsh: This command stands for “change shell” and is used to change a user’s login shell.
- -s: This option specifies the new shell for the user. By specifying
/usr/sbin/nologin
, you direct the system to usenologin
as their shell. - /usr/sbin/nologin: This path points to the
nologin
executable, which effectively denies users from logging into interactive shells. - username: This placeholder represents the actual username of the user whose shell you wish to change. Replace this with the specific username targeted by this operation.
Example output:
When a user attempts to log in after this change, they will simply see nothing or a message if one is configured. The session will terminate without granting shell access. There will be no explicit command-line output from running chsh
successfully, but the user’s shell setting will be updated in the system’s password file.
Use case 2: Customizing a message for users with the login shell of nologin
Code:
echo "Access to this account is restricted. Please contact your system administrator for more information." > /etc/nologin.txt
Motivation for this use case:
Custom messages can be very useful for administratively managed systems. When users who are unaware of why their access is restricted attempt to log in, they can be notified of the situation without experiencing confusion or undue panic. This message serves as a form of direct communication, instructing users to reach out to appropriate personnel (such as IT or system administrators) for assistance or clarification.
Explanation for every argument given in the command:
- echo: This command is used in Unix-like systems to display a line of text.
- “Access to this account…more information.”: This is the custom message intended for users who attempt to log in and are using the
nologin
shell. - >: This operator redirects the output of the
echo
command to a file. In this case, it overwrites the specified file. - /etc/nologin.txt: This is the default file location where the message is read by the
nologin
command when users attempt to log in. Its presence and content dictate what message is displayed.
Example output:
Upon a login attempt under a nologin
shell with an /etc/nologin.txt
message set, the user will see:
Access to this account is restricted. Please contact your system administrator for more information.
After displaying this message, the session will automatically terminate.
Conclusion:
The nologin
command provides system administrators with a versatile and controlled method for denying user access without account deletion. By redirecting a user’s shell to nologin
and leveraging a customizable message system, administrators can manage permissions effectively while maintaining the integrity and usability of user accounts in a multi-user system.