When you execute passwd -l username on Linux, the system modifies the password field in /etc/shadow by prefixing it with !. This effectively invalidates all password-based authentication attempts while preserving the original hashed password.
Here's the actual sequence of events:
Before locking:
john:$6$rounds=656000$Jxs...:19285:0:99999:7:::
After passwd -l john:
john:!$6$rounds=656000$Jxs...:19285:0:99999:7:::
- Reversible: Can be undone with
passwd -u - Non-destructive: Original hash remains intact
- SSH Impact: Blocks password login but not key-based auth
- Sudo Behavior: Still works if user is in sudoers
Locking a service account:
# Lock the account
sudo passwd -l nginx
# Verify status
sudo passwd -S nginx
nginx L 04/10/2023 0 99999 7 -1
Temporarily disabling a user:
# During maintenance
sudo passwd -l devuser
# After maintenance
sudo passwd -u devuser
Compare with other approaches:
# Using usermod (expires account)
sudo usermod -e 1 janedoe
# Changing shell to nologin
sudo usermod -s /usr/sbin/nologin janedoe
While passwd -l is effective for password-based logins, remember:
- User can still log in via SSH keys
- Cron jobs will continue running
- Active sessions remain unaffected
- Consider combining with
chage -E0for full lockdown
When you execute passwd -l username (e.g., passwd -l john), the system modifies the user's encrypted password in /etc/shadow by prefixing it with an exclamation mark (!). This effectively prevents password-based authentication while preserving other login methods.
$ sudo grep john /etc/shadow
# Before locking:
john:$6$salt$hashedpassword:18264:0:99999:7:::
# After locking:
john:!$6$salt$hashedpassword:18264:0:99999:7:::
Locking differs from password expiration or account disabling in several ways:
- SSH key authentication still works: The user can still log in via public key authentication
- SUDO privileges remain: If the user has sudo rights, they can still execute commands with elevated privileges
- No session termination: Existing sessions aren't automatically terminated
Common scenarios where password locking is useful:
# Temporary maintenance access restriction
sudo passwd -l deploy_user
# Security response to suspected compromise
sudo passwd -l suspected_account
# Preparing for account decommissioning
sudo passwd -l old_employee
Check password lock status using either method:
# Method 1: Check shadow file directly
sudo grep '^john:' /etc/shadow | cut -d: -f2 | grep '^!'
# Method 2: Use passwd status command
sudo passwd -S john
# Output: john L 04/10/2023 0 99999 7 -1
# The 'L' indicates locked status
To restore password authentication:
sudo passwd -u john
# Verify:
sudo passwd -S john
# Output: john P 04/10/2023 0 99999 7 -1
# 'P' indicates active password
For more comprehensive access control, consider combining with:
# Expire the password immediately
sudo chage -d 0 john
# Disable shell access
sudo usermod -s /sbin/nologin john
# Combine with PAM modules for additional restrictions
Note that behavior may vary slightly across distributions:
- On some systems,
-lmay completely disable the account - Older versions might use different locking mechanisms
- Always test in your specific environment