Anyone know how to block a user from TTY login, thus forcing them to use their personal login, BUT then allowing them to su - to the blocked account?

Changing shell to /sbin/nologin/ also blocks su - access.

Do I need to use PAM to do this? Ugh.


passwd -l username
passwd -u username to unlock again

man passwd for more details.


That will lock the initial login, and also prevent su - <user> from working as well.

To enable su - <user> I had to give the users sudo access,
and prevent su to root:

ALL ALL=(ALL) NOPASSWD: /bin/su - <user> , ! /bin/su *root*


Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.