Lock a user account or reset a locked user account

Reviewer: Jeremy C. Reed reed AT reedmedia DOT net FreeBSD/NetBSD/DragonFly

Reviewer: Brett Mahar brett.mahar AT gmail DOT com OpenBSD

Concept

Know how to recognize a locked account and how to remove the lock.

Introduction

Locking an account is commonly accomplished by modifying the user's password field in the user database. This can be done manually using vipw or chpass.

One FreeBSD and DragonFly, the pw utility can be used to lock and unlock an account. It locks an account by prefixing the password field with "*LOCKED*". For example to lock a user by name:

""$ pw lock fred

Or to unlock an account by the UID:

"" pw unlock 2395

On NetBSD, the usermod (or user mod) program with the -C switch can be used to lock accounts. It also prefixes the password hash with "*LOCKED*". To lock an account use:

""$ usermod -C yes julie

And to unlock the account:

""$ usermod -C no julie

On OpenBSD, userdel with the -p switch is used to lock a user account (NetBSD can use this command as well, if userdel is build with extensions). To lock:

""$ userdel -p [true|yes|non-zero-number] username

To unlock:

""$ userdel -p [false|no|0] username

TODO: WARNING: I am pretty sure that does not unlock but removes entry from database. I tested on NetBSD and it removes the entry.

TODO: locking accounts can also be done with password change time and expiration times. This could mention that briefly, but doesn't cover it.

TODO: point to section describing master.passwd format

Examples

Practice Exercises

Use vipw or chpass to manually lock the account. And then test a login. And then unlock.

More information

vipw(8); chpass(1), pw(8), user(8), userdel(8)