How to create and modify user accounts to have a nologin shell

https://access.redhat.com/articles/2072

Updated October 4 2022 at 3:59 AM - English For security reasons, sometimes you would require that your users are not able to login to the server. The simple solution is to configure their accounts such that their login shell is set to /sbin/nologin. To modify an existing user, execute the command:

Raw

usermod -s /sbin/nologin

For new users, you may use the command:

Raw

useradd -s /sbin/nologin

To make sure that you do not forget to set each user’s login shell to /sbin/nologin use the -D option to set the default.

Raw

useradd -D -s /sbin/nologin

With the above settings, new users would have a default login shell set to /sbin/nologin without the need to specify the *-s * option when using useradd.

This configuration would still allow users to perform important daily tasks like sending/receiving mails, FTP, accessing network shared folders and other tasks. It would, however, prevent them from logging into the server. This is a good configuration if the server is acting as the Primary Domain Controller and users are mainly using Windows on their workstations.

This method is also a good way to prevent unauthorised server logins due to weak passwords set by users.

Product(s) Red Hat Enterprise LinuxCategory ConfigureComponent bash shadow-utilsTags configurationArticle Type General Was this helpful?

People who viewed this article also viewed What’s different between /bin/false and /sbin/nologin as nologin user’s shell? Solution - 3 Sept 2025 sftp user unable to login with nologin shell. Solution - 14 Jun 2024 nologin Discussion - 4 Aug 2021 Get notified when this content is updated Comments Newbie Add your comment: Add comment Send notifications to content followers Submit Community Member 28 points Feb 13, 2024 2:16 AM Mike Ballon says: What is the proper home directory in case like this where /sbin/nologin is the shell? Should it be the associated username in /home. “/” like I’ve seen in the past or something else?

/dev/null appears not to be the answer or at least CIS Benchmark balks at it, ““/dev/null already exists as a file”, “owner”: “root”, “path”:”