Lock a user account or reset a locked user account
Reviewer: Jeremy C. Reed reed AT reedmedia DOT net FreeBSD/NetBSD/DragonFly
Reviewer: Brett Mahar brett.mahar AT gmail DOT com OpenBSD
Know how to recognize a locked account and how to remove the lock.
Locking an account is commonly accomplished by modifying the user's password field in the user database.
This can be done manually using
One FreeBSD and DragonFly, the
pw utility can be used to lock and unlock an account.
It locks an account by prefixing the password field with "*LOCKED*".
For example to lock a user by name:
""$ pw lock fred
Or to unlock an account by the UID:
"" pw unlock 2395
On NetBSD, the
user mod) program with the
-C switch can be used to lock accounts. It also prefixes the
password hash with "*LOCKED*". To lock an account use:
""$ usermod -C yes julie
And to unlock the account:
""$ usermod -C no julie
userdel with the
-p switch is used to lock a user account (NetBSD can use this command as well, if userdel is build with extensions). To lock:
""$ userdel -p [true|yes|non-zero-number] username
""$ userdel -p [false|no|0] username
TODO: WARNING: I am pretty sure that does not unlock but removes entry from database. I tested on NetBSD and it removes the entry.
TODO: locking accounts can also be done with password change time and expiration times. This could mention that briefly, but doesn't cover it.
TODO: point to section describing master.passwd format
- Use vipw or chpass to manually lock the account. And then test a login. And then unlock.
vipw(8); chpass(1), pw(8), user(8), userdel(8)