- Change Passwords for All Users on Linux Server
- 3 Answers 3
- How to Handle Account Passwords in Linux With passwd Command
- Practical examples of passwd command
- 1. Change your own password
- 2. Create root password
- 3. Change other user’s password
- 4. Check password status
- 5. Check password status for all accounts
- 6. Force user to change password at next login
- 7. Lock or unlock user accounts
- 8. Delete password from an account and make it password-less
- How To Change Passwords in Linux
- How to Change your Password in Linux
- Change Another User's Password
- Force a Password Reset
- Exploring the passwd Command
- Stay on the Cutting Edge
Change Passwords for All Users on Linux Server
I’ve got 10 Linux servers that I need to lock down, by resetting the passwords for every single user all at once. The story behind this is long, but the general idea is that I need it to happen very quickly at a specific time. I’m going to use a single, tough password for all the user accounts (just initially), so this doesn’t need to read from a password file or anything like that. So what I need is the best way to script this out so I can reset all the passwords at once. I can extract a list of the user accounts with the cat /etc/passwd | cut -f1 -d: command, but that ends up including all of the accounts, including system accounts that I assume I shouldn’t mess with. So what’s my best option here? NOTE! When resetting passwords you also need to make sure to wipe anything extra from the ~/.ssh/authorized_keys file. Didn’t remember this until after — thankfully I’d pretty much locked the servers down tightly and there was nothing in authorized_keys other than server-to-server stuff.
3 Answers 3
You can select the UIDs >= 500 to make sure you only get real users and not system accounts and then use the option —stdin of passwd to change the passowrd.
Something like this should work:
while IFS=: read u x nn rest; do if [ $nn -ge 500 ]; then echo "YOURSTRONGPASSWORD" |passwd --stdin $u; fi done < /etc/passwd
I ended up using this just because it was so simple. You might note that you need two dashes before stdin, like --stdin. I'd edit your answer but I don't have enough rep on SF.
BTW: if you have NSF installed you'll want to make sure you didn't change the password for nfsnobody, that is a system account, but has uid=65k. If you did, you just need to set it back to locked with: passwd -l nfsnobody
How to Handle Account Passwords in Linux With passwd Command
The passwd command in Linux allows you to change user password, lock accounts, expire passwords and more. Learn how to use the passwd command with practical examples.
Security technologies have come a long way, but the venerable password still remains one of the most common tools used to secure data.
The passwd command lets you change the user password in Linux but it can do a lot more than that. You can lock (and unlock) users. You can make a user change the password on the next login and more.
In this tutorial, I’ll show you some useful examples of the passwd command that you may use as a sysadmin.
Practical examples of passwd command
The passwd command works on the /etc/passwd file. The changes you made are reflected here.
Where is the password stored in Linux? It is stored in encrypted form in /etc/shadow file.
Let’s see some examples of the passwd command.
1. Change your own password
To change the current user’s password i.e. your own account password, just enter the passwd command without any options.
You’ll be asked to use your current password first:
[email protected]:~$ passwd Changing password for christopher. (current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
If you enter your current password as the new password, the system will throw an error message saying that the password is unchanged and prompt you again for a new password.
2. Create root password
Many Linux distributions come without a root password set. The only way to access root account is through sudo or su commands. This is because a default password like ‘toor’ would make a system vulnerable to attackers.
You must be a sudo user to create root password:
[email protected]:~$ sudo passwd root [sudo] password for christopher: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
This is one of many reasons why it is critical to properly configure user access. You wouldn’t want all users to be able to change your root password!
3. Change other user’s password
You can change user password in Linux using passwd command as root or with sudo.
You won’t be asked for the old password obviously. You are resetting the password after all and as the admin, you should be able to do that.
[email protected]:/home/christopher# passwd christopher Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
4. Check password status
You can check the status of a user’s password like this:
[email protected]:~$ passwd -S christopher christopher P 06/13/2020 0 99999 7 -1
Let’s review this information. I will organize it into a table to make it easier to read. Then I will discuss what certain values mean.
Username | Status | Date Last Changed | Minimum Age | Maximum Age | Warning Period | Inactivity Period |
---|---|---|---|---|---|---|
christopher | P | 06/13/2020 | 0 | 99999 | 7 | -1 |
Let’s look first at the status column. Here are the possible options for this field.
Status | Description |
---|---|
P | Usable password |
NP | No password |
L | Locked password |
There are some special numbers reserved for setting parameters on password rules.
Special Numbers for Age | Description |
---|---|
9999 | Never expires |
0 | Can be changed at anytime |
-1 | Not active |
Here you see that the warning period is set at 7 days, but because the inactivity period is disabled and the age is set to never expire, no warning would occur.
5. Check password status for all accounts
You may also check the password status of all users accounts on your system:
6. Force user to change password at next login
You can use the -e option to expire user’s password immediately. This will force user to change the password at next login.
Here’s how the forced expiry looks like:
[email protected]:/home/christopher# passwd -e christopher passwd: password expiry information changed.
Now you can check the status to note the changes:
[email protected]:/home/christopher# passwd -S christopher christopher P 01/01/1970 0 99999 7 -1
As you can see the password set date has been changed to ’01/01/1970′. This date is historically linked to Unix systems as it’s “epoch” date. This basically means that that date is day ‘0’ (on a 32-bit scale) in the history of Unix.
You have successfully expired the password. The next time my account logs in, it will be forced to change to a different password.
7. Lock or unlock user accounts
The -l option of passwd command allows you to lock a user account in Linux:
Once you use it on a user account, the password will no longer work to grant access.
[email protected]:/home/christopher# passwd -l christopher passwd: password expiry information changed.
You can confirm the status of user password with -S option as discussed earlier. L stands for lock in the output here.
[email protected]:/home/christopher# passwd -S christopher christopher L 06/13/2020 0 99999 7 -1
Unlocking the user account is just as easy. Use the -u option to unlock the user:
[email protected]:/home/christopher# passwd -u christopher passwd: password expiry information changed.
You may confirm the status. The P in the output means usable password i.e. password can be used with the account.
[email protected]:/home/christopher# passwd -S christopher christopher P 06/13/2020 0 99999 7 -1
8. Delete password from an account and make it password-less
I don’t see any practical use case for this but you can delete password for a certain account. This way, that account won’t need password for accessing the system. This is not good for security.
You may also use the -n option to force a user to change the password in N number of days. But manually doing this is waste of time. Instead, you should properly configure your system’s password policy so that it is applicable to all user accounts.
You can always see all available options by using -h option.
I hope this tutorial was helpful in getting you started with the passwd command in Linux.
As always, we love to hear from our readers about content they’re interested in. Leave a comment below and share your thoughts with us!
How To Change Passwords in Linux
Passwords are one of the most important aspects of computing. They keep our bank accounts, user profiles and computers safe (as long as we don’t reuse passwords). Just to log into our computers, most of us need a password and, for Linux, this is even more important.
Managing passwords via the terminal is relatively simple. Users can change their own passwords and users belonging to the sudo (super user) account can administrate the passwords of other users.
In this how-to we’ll learn the basics of passwd, a command designed to manage passwords. We will also learn a few advanced arguments for this command, arguments which will enhance its use and make our lives easier.
These commands will work on most Linux machines. Our test PC ran Kubuntu 21.10 but you can also run through this how-to on a Raspberry Pi. All of the how-to is performed via the Terminal.
How to Change your Password in Linux
Any user can change their password at any time. It is good practice to frequently change your password, and to not reuse or rotate passwords.
1. Open a terminal.
2. Type in the passwd command to start the password change process. Passwd may look like a spelling mistake, but it is the command to work with passwords on the terminal.
3. Type in your current password and press Enter.
4. Type in your new password, press Enter. Then type it in again to confirm that it is correct. Note that Linux will not echo (print) the password to the screen, nor will it show any asterisk indicating password length.
Change Another User's Password
If you are an administrator of many users, there will come a time where a user forgets their password and it will fall to you, or someone with sudo privileges to reset their password.
To change another user's password we use the same command, but specify the user’s name.
1. Open a terminal.
2. Type in the passwd command along with the user name. To use this command you will either need to be root, or be part of the “sudo” group. In the code example we assume that you are in the sudo group.
3. Change the user’s password, and confirm the change.
Force a Password Reset
You’ve heard that one of your users has been reusing their passwords; this is bad. So let’s give them a chance to change their password. Using the -e argument we can enforce a password reset by expiring their password.
1. Open a terminal.
2. Type in the command and pass the -e argument to expire Tom’s password.
When Tom next logs in, the system will force Tom to change their password. Here we have simulated Tom logging in by using the “su” command to switch our user to Tom.
There may come a time when a user account will need to be temporarily locked, preventing them from logging in. For this we can use the -l argument to lock the account. Here we are locking Tom out of their account.
1. Open a terminal.
2. Use the command with the -l argument to lock Tom’s account.
When Tom next tries to login, their password is rejected and they receive an authentication error. Here we again simulate it using su to switch users.
3. To unlock Tom’s account we use the -u switch.
Exploring the passwd Command
The passwd command has a number of useful arguments (parameters) that we can pass when using the command. Here are some examples.
Checking the status of a user’s password is a useful tool for system administrators when it comes to audits and housekeeping. Here our test account, Tom, is audited.
Open a terminal and run the command with the -S switch. This will show the status of the account.
The output is formatted to show
The username
Password status Locked (L), No Password (NP), Password (P)
Date of last password change
Minimum password age
Maximum password age
Warning period (the number of days given to the user to change their password before it expires)
Inactivity period (number of days after a password expires before it is locked)
If we wanted to set the number of days for Tom’s warning period to 14 days, we would use this command.
If you want to list the password status for all users, then the -a switch is just the thing. This switch is used with -S to list the status of every user, even the users that you never knew existed. These extra users are used for specific tasks, such as printers and networking.
Here we can see all the users on our test machine, but the two “real” users are Les and Tom.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Les Pounder is an associate editor at Tom's Hardware. He is a creative technologist and for seven years has created projects to educate and inspire minds both young and old. He has worked with the Raspberry Pi Foundation to write and deliver their teacher training program "Picademy".