SSH: Removing A User

Version 1.0
Author: Tom Adelstein <tom [dot] adelstein [at] gmail [dot] com>
Falko Timme <ft [at] falkotimme [dot] com>
Last edited 04/04/2006

Employee turnover in most organizations runs high. So unless you run a small shop with a stable user base, you need to learn how to clean up after an employee leaves. Too many so-called system administrators do not understand the stakes involved when they manage users. Disgruntled former employees can often cause significant trouble for a company by gaining access to the network.

To remove a user, you need to learn to manage all of his or her files, mailboxes, mail aliases, print jobs, recurring –(automatic) personal processes such as the backing up of data or remote syncing of directories, and other references to the user. It is a good idea at first to disable the account in /etc/passwd, after which you can search for the user’s files and other references. Once all traces of the user have been cleaned up, you can remove the user completely—but if you remove the entry from /etc/passwd while these other references exist, you have a harder time referring to them .

When you remove a user, it’s a good idea to follow a pre-determined course of action so you don’t forget any important steps; it may even be a good idea to make a checklist so that you have a routine. Following, you will find several items requiring attention.

1 Disable The User’s Password

The first task is to disable the user’s password, effectively locking him out. For example:

# passwd -l bwilson

Sometimes it’s necessary to temporarily disable an account without removing it. For example, the user might go on maternity leave or take a post for 90 days in another country. You may also discover from your system logs that someone has gained unauthorized control of an account by guessing the password. The passwd -l command is useful for these situations. It locks (therefore -l) the account by changing the password to a value that cannot be matched by any possible encrypted value.

2 Find The User’s Files

Next, you have to decide what to do with the user’s files. Remember that users may have files outside their home directory. The find command can find them:

# find / -user bwilson

You can then decide whether to delete these files or keep them as discussed later in the section “Sealing the home directory.” If you decide to delete them, back them up in case you need data from them later.

3 Change The Login Shell

As extra security, you can change the user’s login shell to a dummy value. Simply change the last line in the /etc/passwd file to something like * or /dev/null.

For example, if you have this line for bwilson in /etc/passwd:

bwilson:x:1023:1023:Brian Wilson:/home/bwilson:/bin/bash

you can change it to this:

bwilson:x:1023:1023:Brian Wilson:/home/bwilson:/dev/null

4 Remove SSH Keys

If your organization uses Secure Shell (SSH, usually provided on Linux by OpenSSH) and you allow remote RSA or DSA key authentication, a user can get access to the system even if the password is disabled. This is because SSH uses separate keys. For instance, even after you have locked Brian Wilson out of your system using the steps shown up to now, he could get on another computer somewhere and run a command such as:

bwilson:~$ ssh -f -N

This forwards traffic to port 80 (the port on which a web server usually listens) on your internal servert. We will discuss this type of activity in more detail in the security section of this book. Obviously, if your system offers SSH, you should remove authorized keys from ~bwilson/.ssh or ~bwilson/.ssh2 directories in order to stop a user from regaining access to his account this way. Likewise, look for shosts and rhosts files in the user’s home directory: ~bwilson/.shosts and ~bwilson/.rhosts.

For example, if bwilson’s home directory is /home/bwilson, you can remove these keys like this:

# rm -fr /home/bwilson/.ssh/*
# rm -fr /home/bwilson/.ssh2/*
# rm -fr /home/bwilson/.shosts
# rm -fr /home/bwilson/.rhosts

5 Kill The User’s Processes

Also, check to see if the user still has any processes running on the system. Such processes might act as a backdoor to allow a user into a network The following command will tell you if any are running currently.

# ps aux | grep -i ^bwilson

If you get an output like this:

bwilson    1960  0.0  0.2  1684  628 ?        Ss   10:10   0:00 /usr/sbin/someprocess

Then you can kill the process like this:

# kill -9 1960

where 1960 is the process ID (pid).

Some other questions a system administrator might ask about a personal user who has left the company include:

  • Could bwilson execute Common Gate Interface (CGI) scripts from his home directory or on one of the company’s web servers?
  • Do any email forwarding files such as ~bwilson/.forward exist? Users can utilize forwarders to send mail to their accounts and cause programs to be executed on the system where they supposedly do not have access.

6 Remove The User’s Cron Jobs

The next step is to check whether the user has cron jobs, and to delete or disable them if he does. We can use the crontab command to find out if he has cron jobs:

# crontab -u bwilson -l

If you see that bwilson has cron jobs, you can disable them by running

# crontab -u bwilson -e

In the crontab editor that pops up you can simply disable all cron jobs by commenting them out (i.e., by prepending with a #). For instance, you can disable

50 23 * * * /usr/bin/someprocess

like this:

#50 23 * * * /usr/bin/someprocess

Instead of disabling the cron jobs of bwilson, you can as well delete them by running

# crontab -u bwilson -r

7 Sealing The Home Directory

You will often find that management wants to retain the information in the directory of an employee who leaves. All the email and other documents in a personal user’s account belong to the company. In the event a disgruntled former employee becomes litigious, the company’s legal counsel may want these files. Many analysts consider the keeping such directories as good practice.You can save the contents of a user’s home directory by renaming it. Simply execute a move command:

# mv /home/bwilson /home/bwilson.locked

In this way, the former employee cannot log in or make any use of configuration files such as the .forward file discussed in the previous section. The contents remain intact if needed later.

8 Remove The User From sudoers

If you have sudo installed, you should also remove the user from /etc/sudoers or at least disable him there. You can do this with the visudo command:

# visudo

9 Check All Other Applications For Logins Of That User

You might also want to check all your other applications (e.g. MySQL) that don’t use system user logins but where the user to be removed might have logins under another username. You should check your web site, PHP scripts, etc. for user logins and disable the login for the user to be removed. I will give three other examples here:

9.1 Web Directories Protected By .htaccess/.htpasswd

You might have some directories on your web site that are password-protected by .htaccess/.htpasswd (for example, the web site statistics folder), and until now the user to be removed (I’ll name him bwilson here again, although the username might be completely different from the username we used so far because it is no system user this time) had access to these directories. You can remove bwilson’s login with the htpasswd command.

Let’s assume the .htpasswd file is /var/www/.htpasswd. Then you can remove bwilson’s login like this:

# htpasswd -D /var/www/.htpasswd bwilson

9.2 MySQL

If bwilson has a login for the company’s MySQL database, you can remove the login like this:

# mysql -u root -p

9.3 Postfix

If Postfix uses sasldb2 instead of the passwords in /etc/shadow, you must delete the user bwilson from /etc/sasldb2 – otherwise he will be able to send emails. You can do that with the saslpasswd2 command:

# saslpasswd2 -d bwilson

If you’re using SASL version 1 instead of version 2, then you must use the saslpasswd command:

# saslpasswd -d bwilson

The passwords are then stored in /etc/sasldb instead of /etc/sasldb2.

Quoted from: taft @


Server Stop, Start, Restart (Apache, SSH, MySql, Qmail)


Q. I’m using CentOS / RHEL / Fedora Linux server and I’d like to restart my httpd server after making some changes to httpd.conf file. How do I restart httpd?

A. You can use service command to restart httpd. Another option is use /etc/init.d/httpd service script.

Login as root user and type the following commands:

Task: Start httpd server:

# service httpd start

Task: Restart httpd server:

# service httpd restart

Task: Stop httpd server:

# service httpd stop
Please note that restart option is a shorthand way of stopping and then starting the Apache HTTPd Server. You need to restart server whenever you make changes to httpd.conf file. It is also good idea to check configuration error before typing restart option:
# httpd -t
# httpd -t -D DUMP_VHOSTS

Sample output:

Syntax OK

Now restart httpd server:
# service httpd restart

  • -t : Run syntax check for config files
  • -t -D DUMP_VHOSTS : Run syntax check for config files and show parsed settings only for vhost.

/etc/init.d/httpd script

You can also use following command:
# /etc/init.d/httpd restart
# /etc/init.d/httpd start
# /etc/init.d/httpd stop

A note about Debian / Ubuntu Linux

Type the following command under Debian / Ubuntu Linux:
# /etc/init.d/apache2 restart
# /etc/init.d/apache2 stop
# /etc/init.d/apache2 start

You can also use service command under Debian / Ubuntu Linux:
# service apache2 restart
# service apache2 stop
# service apache2 start



Q. How do I monitor my ssh server with monit? How do I restart ssh server if it does not respond or dead due to any issues under Linux?

A. You can easily monitor Linux server or service such as OpenSSH (SSHD daemon) using monit utility.

Monitor SSH and Auto Restart If Died

Open your /etc/monitrc or /etc/monit/monitrc file:
# vi /etc/monit/monitrc
Append following code:
check process sshd with pidfile /var/run/
start program "/etc/init.d/ssh start"
stop program "/etc/init.d/ssh stop"
if failed port 22 protocol ssh then restart
if 5 restarts within 5 cycles then timeout

Save and close the file. Make sure you set /var/run/ and /etc/init.d/ssh as per your Linux distribution. These values are valid for Debian / Ubuntu Linux. Restart monit to pickup the changes:
# /etc/init.d/monit restart



Each distribution comes with a shell script (read as service) to restart / stop / start MySQL server. First login as root user and open shell prompt (command prompt).

First login as root user. Now type the following command as per your Linux distro:

A) If you are using mysql on RedHat Linux (Fedora Core/Cent OS) then use following command:

* To start mysql server:

/etc/init.d/mysqld start

* To stop mysql server:

/etc/init.d/mysqld stop

* To restart mysql server

 /etc/init.d/mysqld restart

Tip: Redhat Linux also supports service command, which can be use to start, restart, stop any service:

# service mysqld start
# service mysqld stop
# service mysqld restart

(B) If you are using mysql on Debian / Ubuntu Linux then use following command:

* To start mysql server:

/etc/init.d/mysql start

* To stop mysql server:

/etc/init.d/mysql stop

* To restart mysql server

/etc/init.d/mysql restart



qmail-init(8) – Linux man page


qmail-init – start/stop scripts for qmail


init.d/qmail [ start | stop | restart | status ]

init.d/qmtpd [ start | stop | restart | status ]

init.d/pop3d [ start | stop | restart | status ]

init.d/qmqpd [ start | stop | restart | status ]

init.d/qmtpd [ start | stop | restart | status ]

init.d/smtpd [ start | stop | restart | status ]


These init scripts are responsible for starting and stopping the three main qmail services. init.d/qmail invokes qmail-start (the main qmail delivery agent), init.d/pop3d invokes qmail-popup, checkpassword, and qmail-pop3d (the POP3 server system for qmail) by way of tcpserver, init.d/qmqpd invokes qmail-qmqpd (the QMQP server for qmail — a specialized null-client protocol) by way of tpcserver, init.d/qmtpd invokes qmail-qmtpd (the QMTP server for qmail — a high-speed alternative to SMTP) by way of tcpserver, and init.d/smtpd invokes qmail-smtpd (the SMTP daemon for qmail) by way of tcpserver, as well as optionally invoking rblsmtpd if that package is installed.

These files typically reside in either /etc/rc.d/init.d (most systems using SysV-style init scripts) or /etc/init.d (Solaris).

Control Files


Default delivery instructions. Default: ./Mailbox. The contents of this file are used as the default delivery instructions for any legitimate local address that has either nonexistant or empty delivery instructions. See dot-qmail(5) for details on the contents. To emulate the typical sendmail and procmail combined configuration, install the dot-forward and procmail packages (and ensure they and preline are in the path), and put the following lines in this file: |dot-forward .forward
|preline procmail
If antirbl is installed, this file contains a list of domains for which to disable RBL testing. Default: empty.
The password checking program for all systems that require one (currently only init.d/pop3d) Default: checkpassword.
Maximum number of simultaneous inbound POP3 connections. Default: 20.
Maximum number of simultaneous inbound QMQP connections. Default: 20.
Maximum number of simultaneous inbound QMTP connections. Default: 20.
Maximum number of simultaneous inbound SMTP connections. Default: 20.
The program that is to be used for message logging. Default: splogger. It is started in the /var/log directory. If the string contains {}, then it replaced with the name of the system being logged (such as qmail or pop3d), otherwise the system name is appended to the string. To use multilog ensure that a subdirectory in /var/log exists for each of the systems and put the following in this file: multilog -t {}
If rblsmtpd is installed, this file lists the RBL domain servers on which to do lookups. Default:
If rblsmtpd is installed, this file sets the timeout value. Default: 60.
The maximum amount of CPU time an individual daemon process (pop3d, qmqpd, qmtpd, or smtpd) is allowed to consume before it is terminated, in seconds. Default: unlimited.
The maximum data segment size of an individual daemon process, in kilobytes. Default: unlimited.



HOw to Custom SSH Port in Linux Machine

Part of security measure, it is advisable to change default ports to your own defined ports.

SSH port is one among them that you need to customize. 🙂

Here is the detail on how you can customize your own ports for your own needs,

You should be able to define a custom port in /etc/ssh/sshd_config. Make sure your firewall is accepting connections thru that port. Might be a good idea to leave 22 open until you confirm that the non-standard port is working properly. As always make a backup of the original file before editing. Then restart SSH server.

To restart ssh service or server type

/etc/init.d/sshd restart

To start ssh

/etc/init.d/sshd start

To stop ssh

/etc/init.d/sshd stop
Hope you will find it useful.