The Ubuntu flavor of Linux usually ships with a user called ‘ubuntu’. This is in addition to the ‘root’ user.
Cloud server providers such as DigitalOcean, Linode and Vultr default to the ‘root’ user. Other server providers default to the ‘ubuntu’ user.
If you’re using a cloud server provider that defaults to ‘root’, you can disable the ‘ubuntu’ user login without removing them from the server. This can be done with a simple command entered on the command line:
sudo passwd -l ubuntu
This will prevent the user from being able to login with a password. If the ‘ubuntu’ user does not exist then you’ll receive a simple error message such as ‘passwd: user ‘ubuntu’ does not exist’
To lock any other user, just enter the user name in place of ‘ubuntu’ – i.e.:
sudo passwd -l <username>
Note that locking a user with this method does NOT prevent the user from being able to login if they have been configured for passwordless logins (eg: with ssh key-pairs). It only prevents them from using a password to login. If you’d like to prevent those types of logins as well you can use the chage command to expire the user (see more information at the bottom of this article).
You can check the status of a user to see if they’re locked:
sudo passwd -S ubuntu
The output might look something like this:
ubuntu L 09/14/2023 0 99999 7 -1
If the second column in the output contains “L”, then the user is locked. In the above example output, the ‘ubuntu’ user is indeed locked.
You can check the status for ALL your users by using the following command:
sudo passwd -S --all
The output will look similar to this:
root P 07/04/2023 0 99999 7 -1 syslog L 02/17/2023 0 99999 7 -1 uuidd L 02/17/2023 0 99999 7 -1 tcpdump L 02/17/2023 0 99999 7 -1 tss L 02/17/2023 0 99999 7 -1 landscape L 02/17/2023 0 99999 7 -1 fwupd-refresh L 02/17/2023 0 99999 7 -1 usbmux L 06/16/2023 0 99999 7 -1 ubuntu L 09/14/2023 0 99999 7 -1
Notice that the second column in the output contains “L” indicating that the users are locked.
Learn more about the passwd command on the passwd page on the Ubuntu documentation site.
As mentioned earlier, locking a user does not prevent them from being able to login with certificates. To prevent this type of login, you must expire the user. eg:
chage -E0 ubuntu
Expiring an account uses the 8th field in /etc/shadow (using “chage -E”) – this will block all access methods that use PAM to authenticate a user.
To verify the account has expired, use:
chage -l ubuntu
The output should include a row that shows the expiration date:
Last password change : Apr 17, 2021 Password expires : never Password inactive : never Account expires : Jan 21, 1990 Minimum number of days between password change : 0 Maximum number of days between password change : 999999 Number of days of warning before password expires : 7