How to disable user ssh login under Linux

Jephe Wu -

Objective:  explain all kinds of ways for disablinig user shell access under Linux and their pros and cons
Environment: CentOS 6.4 64bit


1. using /sbin/nologin or /bin/false 
useradd jephe -s /sbin/nologin
chsh -s /sbin/nologin

pros: disable shell access
cons: doesn't disable SSH tcp port forwarding.

e.g. user can use ssh to server to enable port forwarding as follows without actual shell access:

ssh -N -L 2222:remote:22 server

2. password lock/unlock

passwd -l jephe and passwd -u jephe
usermod -L jephe and usermod -U jephe

Pros: disable shell access with using /etc/shadow password
cons: if user had configured public key authentication before you lock password, user can still ssh in.

related command: chage -d 0 # to make user password expire so that user have to change password immediately upon login, you can run 'chage -l user' to check.

chage -d 0 is different with chage -E0, chage -d 0, make password expire, to  force user to change password after login, chage -E0, make account expire, totally disable user for the system.

3. make user account expire totally
chage -E0 jephe and reverse it by chage -E-1 jephe

Pros and cons: totally disable user account, user is unable to ssh anyway
If you need to totally disable user ssh, you should use this way.

[root@server1 ~]# chage -E0 corkroo
[root@server1 ~]# getent shadow corkroo
[root@server1 ~]# chage -E-1 corkroo
[root@server1 ~]# getent shadow corkroo

4. force sftp access only, not ssh

User still have normal shell /bin/bash, but configure /etc/ssh/sshd_config to force user to use sftp only, not shell access
[root@server1 ~]#   tail -7 /etc/ssh/sshd_config
Subsystem sftp internal-sftp

Match User corkroo
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

[root@server1 ~]# getent passwd corkroo

[root@server1 ~]# ssh corkroo@localhost
Password:  # then it's hanging here.