When operating in an NIS+ environment (see passwd Command and “NIS+ Environment”), an administrator (a group member) with modify rights to a user's entry in the passwd table can use the passwd command to lock a password. An account with a locked password cannot be used. When a password is locked, the user will receive a Login incorrect message after each login attempt.
Keep in mind that locked passwords have no effect on users who are already logged in. A locked password only prevents users from performing those operations that require giving a password such as login, rlogin, ftp, or telnet.
Note also that if a user with a locked password is already logged in, and that user uses the passwd command to change passwords, the lock is broken.
You can use this feature to:
Immediately lock one or more user passwords in the case of suspected security problem.
Quickly lock a dismissed employee out of the system. This is quicker and easier than eliminating that user's account and is an easy way of preserving any data stored in that account.
If you have assigned passwords to UNIX processes, you can lock those passwords. This allows the process to run, but prevents anyone from logging in as those processes even if they know the process password. (In most cases, processes would not be set up as NIS+ principals, but would maintain their password information in /etc files. In such a case you would have to run the passwd command in files mode to lock /etc stored passwords.)
To lock a password, use:
passwd -l username
To unlock a user's password, you simply change it. You can “change” it back to the exact same password that it was when it was locked. Or you can change it to something new.
For example, to unlock jody's password, you would enter:
station1% passwd jody