How to Verify Password Lock Status in Linux Using usermod -L Command


6 views

When you execute usermod -L username in Linux, the system modifies the user's password entry in the /etc/shadow file by prepending an exclamation mark (!) to the encrypted password. This effectively prevents password authentication while maintaining the original password hash.

The most reliable way to verify password lock status is by examining the shadow file:

sudo grep myUser /etc/shadow

Example output for a locked account:

myUser:!$6$Trn...:19163:0:99999:7:::

Notice the exclamation mark preceding the password hash. For comparison, an unlocked account would show:

myUser:$6$Trn...:19163:0:99999:7:::

You can also use these commands to check account status:

sudo passwd -S myUser

Sample output indicating a locked password:

myUser L 04/15/2023 0 99999 7 -1

The 'L' flag confirms the password is locked. Other status indicators include:

  • 'P' for active password
  • 'NP' for no password

Here's a bash script to check multiple users:

#!/bin/bash

check_lock_status() {
    local user=$1
    local status=$(sudo passwd -S "$user" | awk '{print $2}')
    
    case "$status" in
        L) echo "$user: Password locked" ;;
        P) echo "$user: Password active" ;;
        NP) echo "$user: No password set" ;;
        *) echo "$user: Unknown status" ;;
    esac
}

# Check multiple users
for user in myUser admin testuser; do
    check_lock_status "$user"
done
  • Locking affects only password authentication - SSH keys still work
  • The original password remains in the system and can be restored
  • Root can still su to a locked account
  • Locking differs from account expiration (usermod -e)

When you execute usermod -L username on a Linux system, the command disables the user's password by prepending an exclamation mark (!) to the encrypted password in the /etc/shadow file. This prevents password-based authentication while maintaining other authentication methods like SSH keys.

The most direct way to verify if a password is locked is by examining the shadow file:

sudo grep myUser /etc/shadow

Example output for a locked password:

myUser:!$6$Tr7zW...:19185:0:99999:7:::

Notice the exclamation mark preceding the password hash. This indicates the account is locked.

Using passwd command

sudo passwd -S myUser

Output example:

myUser L 04/10/2023 0 99999 7 -1

The L status indicates the password is locked.

Using chage command

sudo chage -l myUser

While this shows account expiration info, it won't directly show lock status but can be useful for related account status checks.

Here's a bash function to check password lock status:

function is_password_locked() {
    local user=$1
    if sudo grep -q "^${user}:!" /etc/shadow; then
        echo "Password for $user is locked"
        return 0
    else
        echo "Password for $user is NOT locked"
        return 1
    fi
}
  • Always use sudo when checking /etc/shadow
  • Locking a password doesn't disable other authentication methods
  • Consider using usermod --expiredate 1 for complete account locking
  • Regularly audit locked accounts with awk -F: '$2 ~ /^!/ {print $1}' /etc/shadow

If you don't see the expected ! marker:

  1. Verify you used usermod -L and not other locking mechanisms
  2. Check for filesystem sync issues (rare but possible)
  3. Confirm you're examining the correct user entry