You can use the
usermod command to change a user’s login shell.
usermod -s /sbin/nologin myuser
usermod -s /usr/sbin/nologin myuser
If your OS does not provide /sbin/nologin, you can set the shell to a NOOP command such as /bin/false:
usermod -s /bin/false myuser
Changing the login shell does not necessarily prevent users from authenticating (except in some services that check if the user’s shell is mentioned in
People may still be able to authenticate to the various services that your system provides to unix users, and may still be authorized to perform some actions albeit probably not run arbitrary commands directly.
Changing the shell to
/usr/sbin/nologin will only prevent them from running commands on those services that can be used to run commands (console login, ssh, telnet, rlogin, rexec…), so affect authorisation for some services only.
ssh for instance, that still allows them to do port forwarding.
passwd -l will disable password authentication, but the user may still be allowed to use other authentication methods (like
pam on Linux at least, you can use the
pam_shells module to restrict authentication or authorisation to users with an allowed shell (those mentioned in
ssh, you’ll want to do it at authorisation (
account) level as for authentication
pam in addition to other authentication methods (like
authorized_keys), or you can do it with
sshd_config directives in
AllowUsers and friends).
Beware though that adding some restrictions in global pam authorisation will potentially prevent running
cron jobs as those users.
You edit the
/etc/passwd file and change the users shell from