The difference between passwd -l and passwd -d

There are two options for canceling a user password in Linux. You can either lock the password login or delete the password altogether. What implications do they have?

Most administrators today would probably set up their servers with SSH access. But if you initially provisioned the server with password authentication, you’ll need to prevent the user you used from logging in.

The passwd program can either lock an account (the -l option) or delete a password for the account (the -d option). What’s the difference?

Locking accounts would prevent users from logging in, but keep their passwords around:

$ sudo passwd -l root

This means you can later unlock these accounts and use them as before. It also means you’ll still need and use passwords for sudo if the password is required (you can configure sudo not to require password, though).

Removing the password, on the other hand, completely removes the password and removes the unnecessary lock if present:

$ sudo passwd -d root

Users without passwords won’t be require to input password on logging. If they are configured to use sudo, they can do that without password, too (even if password is required by sudo).

As for the SSH access, locked accounts cannot log in and logging of passwordless accounts depends on the PermitEmptyPasswords directive in /etc/ssh/sshd_config (location on Fedora-based systems). If set to yes, users can login without issues. If set to no or if the password authentication is disabled alltogether, then they won’t be able to log in (this should be default).


I wrote a complete guide on web application deployment. Ruby with Puma, Python with Gunicorn, NGINX, PostgreSQL, Redis, networking, processes, systemd, backups, and all your usual suspects.

More →