nologin vs false

What's the best way to disable a Linux user account?


When disabling a user account on a Linux box, it is good practice to also change the shell to something which, well, isn’t a shell. The point of these shells is rather than presenting the user with a prompt to execute further commands, it returns a failure code, and log out the user.

If you look around, people recommend a couple different things to set as the user’s shell: /bin/nologin and /bin/false. Not once have I seen someone say why to use either, nor what the differences are.


false is a foundational part of the shell. It’s an incredibly simple application which does nothing but exit.

Even the source code is simple: false.c

The source code itself is slightly misleading. false is actually an extension of true, but with a different return code. false returns status code 1, whilst true return 0.

The real logic actually lives there: true.c

Both true and false are incredibly simple, even if you know nothing about C. And as a result are incredibly fast.


nologin is designed to do exactly what we want it to. It’s specifically designed to prevent login by being set as a user’s shell.

nologin does a little more than false, but it’s still very simple code to read: nologin.c

Once executed, nologin will try to read /etc/nologin.txt to get a custom message to show the user. If it exists, it prints that and exits with code 1. If it doesn’t exist, it shows the default message, and exits with code 1. This customization makes it much more user-friendly, although because the file is global, one system can only have one configured message.


rssh is a unique shell. Rather than executing commands, like bash, it allows filtering of specific SSH uses down to exactly what’s needed. For example, you can block all access unless it’s SCP.

rssh is a much larger application compared to false and nologin, but it’s still not especially complex code.

#Which should I use?

Realistically, it doesn’t really matter. The point of a disabled prompt is to exit with a fail quickly, which both false and nologin do. So long as you block access, it really doesn’t matter how.

If you’re hyper paranoid, use false, as it’s simpler and smaller. But you’ll lot more than just use false if you want things that locked down. Alternatively, if you want it to be more obvious what’s going on, use nologin, as its name makes a bit more sense, and terminates with a message.

rssh solves a specific issue. It’s best not to use it unless you need its features, but if you do need them, it’s a valuable tool in the kit!

Share this page

Similar content

Nebula mesh network - an introduction

8 minutes

WireGuard has been the “hot new thing” when it comes to VPNs, but it’s not always the best suited for every workload. Nebula is a mesh network originally created by Slack, but now owned by a separate company.TechSNAP 419 - Nebulous NetworkingLinux Unplugged 329 - Flat Network TruthersWhat’s a mesh…

Unsafe routes with Nebula

2 minutes

Nebula is a great mesh network I recently deployed into my stack. For connecting nodes spread between networks, it’s great, much better than my previous WireGuard installation. An additional feature of nebula is unsafe_routes. Unsafe routes allow nodes which don’t have Nebula installed to be accessible to other Nebula nodes.

Storing Ansible Vault password in Bitwarden

4 minutes

I’ve used Ansible for a number of years for the provisioning of both my servers and desktops. It’s versatile, it’s simple, it’s powerful, and has a number of great features. Personally, I make all of my “playbooks” public for all for all to see, but provisioning still requires some secrets.

View all →