Lock a user account or reset a locked user account

Reviewer: Jeremy C. Reed reed AT reedmedia DOT net FreeBSD/NetBSD/DragonFly

Reviewer: name contact BSD flavour

Concept

Know how to recognize a locked account and how to remove the lock.

Introduction

Locking an account is commonly accomplished by modifying the user's password field in the user database. This can be done manually using vipw or chpass.

One FreeBSD and DragonFly, the pw utility can be used to lock and unlock an account. It locks an account by prefixing the password field with "*LOCKED*". For example to lock a user by name:

$ pw lock fred

Or to unlock an account by the UID:

pw unlock 2395

On NetBSD, the usermod (or user mod) program with the -C switch can be used to lock accounts. It also prefixes the password hash with "*LOCKED*". To lock an account use:

$ usermod -C yes julie

And to unlock the account:

$ usermod -C no julie

TODO: OpenBSD's version of NetBSD's usermod doesn't have this lock functionality; does OpenBSD have a tool for this? Or just do it manually?

TODO: locking accounts can also be done with password change time and expiration times. This could mention that briefly, but doesn't cover it.

TODO: point to section describing master.passwd format

Examples

Practice Exercises

Use vipw or chpass to manually lock the account. And then test a login. And then unlock.

More information

vipw(8); chpass(1), pw(8), user(8)