How to Block or Disable Normal User Logins in Linux

As a system administrator, you will inevitably perform scheduled system maintenances at some point or another. A few times, your system may also encounter some problem(s) and you will be forced to put it down to fix the problem(s). What ever the situations is, it is a good idea to prevent non-root(normal) users from connecting to the system.

Read Also: Disable or Enable SSH Root Login and Limit SSH Access in Linux

In this article, we will describe how to block non-root users logins using /etc/nologin file as well as a nologin shell in Linux. We will look at how to set a message that explains to users what is actually happening.

How to Block User Logins Using /etc/nologin File

The primary function of /etc/nologin file is to display a message (stored in the file) to users attempting to log on to a system during the process of shutdown.

Once the message has been displayed to the user, the login procedure terminates, preventing the user from logging onto the system.

This can be used to block user login by manually creating the file as follows.

# vi /etc/nologin

Add the message below to the file, which will be shown to users attempting to log on to the system.

The Server is down for a routine maintenance. We apologize for any inconvenience caused, the system will be up and running in 1 hours time. For more information, contact the system admin [email protected]. 

Now you can test if it all works; as you can see from the screen shot below, a normal user tecmint is not able to login.

How to Block User Logins Using nologin Shell

This method works a little differently: it only blocks a user from accessing a shell. But he or she can log on to the system via programs such as ftp that do not necessarily require a shell for the user to connect to a system.

Additionally, it can allow you to block shell access to specific users in special scenarios.

On RHEL/CentOS/Fedora

Simply use chsh (change shell) command to change the users shell in /etc/passwd file from something like /bin/bash or /bin/sh to /sbin/nologin meaning refuse a login.

# chsh -s /bin/nologin tecmint

On Debian/Ubuntu

Here, you have to use /bin/false file. The command below changes the user tecmint’s shell to /bin/false meaning do nothing (after user provides login credentials):

$ sudo chsh -s /bin/false tecmint

You may also like to read these following related articles.

1. How to Enable and Disable Root Login in Ubuntu
2. Resetting/Recovering Forgotten Root User Account Password in RHEL/CentOS 7
3. How to Restrict SFTP Users to Home Directories Using chroot Jail
4. How to Set and Unset Local, User and System Wide Environment Variables in Linux

That’s all for now! If you have any questions or additional ideas to share concerning this topic, make use of the comment form below.