1. Expire account
  2. Re-enable account
  3. Force user to re-enter a password
    1. Source

Sometimes you need to disable user accounts (say, people enter and leave the team).

Other times, you need a fictional user just to run certain processes but that user is not a real person. This is useful for managing accesses and give the least possible amount of permissions.

These commands will lock users out of the machine in any kind of authentication (ssh-key, password-based logins, etc).

Expire account

# disallow peter from logging in
sudo usermod --expiredate 1 user

Re-enable account

# set expiration date of peter to Never
sudo usermod --expiredate "" peter

Force user to re-enter a password

This will expire the current password of the user, but allow them to log in after they enter a new one.

# make peter think of a new password on login
sudo passwd -e  YYYY-MM-DD peter

Source

Credits.