Disable Shell Login for Linux Users: Create and Modify Accounts

Background

In a typical Linux installation, new user accounts are assigned a default login shell defined in /etc/default/useradd. Occasionally, an account should not be allowed to log in interactively.

Using the /sbin/nologin Shell

The /sbin/nologin program acts as a shell that immediately terminates a login attempt, displaying the message “This account is currently not available”. It is the standard way to block shell access.

Creating a User with a Disabled Shell

useradd -s /sbin/nologin {username}

Example:

# useradd user01 -s /sbin/nologin
# tail -1 /etc/passwd
user01:x:1000:1000::/home/user01:/sbin/nologin

Attempting to SSH as user01 yields the nologin message and the connection closes.

Modifying an Existing User’s Shell

Two commands can change a user’s login shell:

chsh

usermod

Using chsh

chsh -s /sbin/nologin {username}

On CentOS 8, chsh may be missing; install it first:

# yum -y install util-linux-user
# chsh -s /sbin/nologin user02
Changing shell for user02.
chsh: Warning: "/sbin/nologin" is not listed in /etc/shells.
Shell changed.

Using usermod

usermod -s /sbin/nologin {username}

Example for user03: # usermod -s /sbin/nologin user03 Alternatively, the shell field in /etc/passwd can be edited manually.

Conclusion

The tutorial demonstrates how to prevent a Linux user from obtaining an interactive shell, either at account creation time or by modifying an existing account, using standard system utilities.