Passwd command in linux

Managing Linux users with the passwd command

Linux authentication is primarily handled with passwords and public keys. Find out how the passwd command fits into the user management process.

Unix-like operating systems. including Linux, were developed right from the start as preemptive multitasking and multi-user systems.

Multitasking refers to an operating system in which multiple processes, also called tasks, can execute (i.e., run) on a single computer seemingly simultaneously and without interfering with each other. Each process has the illusion that it is the only process on the computer and that it has exclusive access to all the services of the operating system.

Linux is multi-user because it allows multiple people to use a computer and not affect each other’s files, processes, preferences, etc.

Because there could be multiple users on the system, it is, therefore, necessary to manage their authentication. Authentication is primarily handled with passwords and public keys. One of the many tools available we use to set up passwords is the passwd command.

Linux security

The passwd command

The passwd command changes passwords for user accounts. A normal user may only change the password for their own account, while the superuser may change the password for any account. passwd also changes the account or associated password validity period. This task is achieved through calls to the Linux-PAM and libuser API.

In this article, I am assuming there are already users created on the system with useradd or some other command.

We can see users created on the system with this command:

[root@server ~]# cat /etc/passwd

Use the man page as a reference for passwd . As with all Linux commands, there is a synopsis, which details how the command is used. The man page synopsis for passwd is as below:

passwd [options] [LOGIN] Running the passwd command without any argument will ask for a change of password for the user logged in.

Options

Here is an explanation of some of the options for the passwd command:

The -S option displays the status of user account password settings.

# passwd -S evans evans PS 2020-09-07 0 99999 7 -1 (Password set, SHA512 crypt.)

The output above shows the account evans was created on 7th September 2020 and has a password set with SHA512 encryption.

The -l option is used to lock the password of a specified account, and it is available to root only. The result is that the user cannot use the password to log in to the system but can use other means such as SSH public key authentication.

This option will unlock the password. This option works for an account that already has the password locked.

This is a quick way to delete a password for an account.

This is a quick way to expire a password for an account. The user will be forced to change the password during the next login attempt.

This sets the number of days before a password can be changed. By default, a value of zero is set, which indicates that the user may change their password at any time.

This means user2 cannot change its own password until 10 days have passed.

To confirm the password setting made with the -n option above, run the following command:

# passwd -S user1 user1 PS 2020-12-04 10 99999 7 -1 (Password set, SHA512 crypt.)

The value of 10 after the date indicates the minimum number of days until the password can be changed.

Set the maximum number of days a password remains valid. After MAX_DAYS, the password is required to be changed.

This means after 90 days, the password is required to be changed.

Confirm the setting with passwd -S user1

[root@server ~]# passwd -S user1 user1 PS 2020-12-04 10 90 7 -1 (Password set, SHA512 crypt.)

The value of 90 after 10 indicates the maximum password lifetime.

This will set the number of days in advance the user will begin receiving warnings that the password will expire.

This means the user will receive warnings that the password will expire 7 days before the expiration.

This option is used to disable an account after the password has been expired for a number of days. After a user account has had an expired password for INACTIVE days, the user may no longer sign on to the account.

This means after a user account has had an expired password for 5 days, the user may no longer sign on to the account.

This option indicates that passwd should read the new password from standard input, which can be a pipe.

# echo "userpasswd1"|passwd --stdin user1

This command will read from the echo command and pass it to the passwd command. So this will set the user1 password to userpasswd1.

Wrap up

The passwd command is quite popular to manage user accounts on your Linux system. It manipulates some of the entries in the /etc/passwd file, and the sysadmin should have this in his toolbox.

Источник

How To Use The Passwd Command In Linux

The passwd command modifies passwords for user accounts and manages the password validity period. This is a must-know utility for user account administration.

This article shows examples of how to use the passwd command in Linux, along with all the available options.

Note: To check if you have sudo privileges, type sudo whoami in the terminal.

passwd Command in Linux With Examples

Using the passwd command, a superuser changes and modifies settings for any user. Regular users are only allowed to change their own password.

The terminal prints out what user you are changing the password for. Type your current password, and then define and confirm your new password.

Any password that does not meet basic requirements is rejected and a user must re-enter a new password. Using a strong password is an important security aspect, and it helps prevent brute force attacks.

See Password Status Info

Using passwd with the —status option displays all the information about a password and the validity periods. The shorter version is -S :

Check another user’s password status by entering:

The password status has seven fields:

1. A user’s login name.
2. Whether a user has a locked password (L), no password (NP), or a password (P).
3. Date of last password change.
4. Minimum password age.
5. Maximum password age.
6. Warning period for password change.
7. Inactivity period for the password change.

The last three fields are in days.

See Password Status Info for All the Accounts

Check the status info for all accounts using passwd with the sudo command with the -S and -a options, or the extended version —all :

Note: You can create a sudo user and assign elevated permissions. Make sure it’s a trusted user.

Change a User Password

To change a specific user’s password, run the passwd command with sudo privileges and the account you wish to update:

This option comes in handy if a user has forgotten their password.

Note: Reset or change the sudo or root password in case you forget it.

Delete User Password

If a user has a password and you need to remove it, use:

When you check the password status, it changes the second field from P to NP:

The passwd —delete and passwd -d commands are a quick way to disable a password for an account.

Expire Account Password

To force expire a password use the —expire or -e options with the passwd command:

When you check the status, the date of the last password change is now 01/01/1970. The next time this user logs in, they must change their password.

Set Number of Days After the Password Expires and the Account Deactivates

An account can automatically deactivate after its password has expired and not changed for a certain number of days. Use the -i or —inactive option and set the number of days as an integer:

The last number in the status changes to the number of days you set for that user.

Set the Minimum Number of Days Between Password Changes

To change the minimum number of days between password changes, use the —mindays or -n option with the number of days as an integer:

In the status report for that user, the set number appears after the date.

Set the Maximum Number of Days for Which the Password Remains Valid

To change the maximum number of days between password changes, use the —maxdays or -x option with the number of days as an integer:

The status of that user shows that maximum number of days for the password validity has changed.

Change the Expired Password

Once a password expires, a prompt appears during next login to change the password. Enter the old password and then a new one twice for confirmation. In this example, the expiry was root enforced:

Note: In this example, the su command switches to the user account, but use the sudo command if possible. Read about the difference between sudo and su.

Display the Warning for Expiring Password

The warning period message displays for expiring passwords. Use the option —warndays or -w to set how many days before the expiry the warning appears:

Lock the Password

Locking a password makes the user unable to log in using their password. However, they are still able to log in using other authentication methods. To lock a password, use:

The password status for that user changes to L. In the example below, it changes from P to L:

Unlock the Password of an Account

To unlock a password for a locked account (L), use the —unlock or -u option:

The password status changes from locked (L) to the previous state of the password for the account, allowing the user to log in regularly.

Use the Quiet Mode

Quiet mode hides the “Changing the password for ” message:

The password status changes from locked (L) to the previous state of the password for the account, allowing the user to log in regularly.

The passwd -q command is useful when you do not want to display the username you are changing the password for on your screen.

Note: When you need to update passwords of multiple users, use the chpasswd command.

Change Password for Repository Named “Repo”

For more advanced usage, the /etc/nsswitch.conf file specifies the repositories where the password changes happen. Specify the repository with the command:

Change the Root Directory for the passwd Command Process

The passwd command process runs from the default root directory. Modify the root directory by running the —root option:

Or the -R option:

You need to set a password for root for the information update.

See All passwd Commands

There are numerous commands to use with the passwd tool. List all the options if you forget any by running:

A list of all the options along with a short description prints out:

The passwd command is vital for managing account security, both for an individual user and a system administrator. Automating password validity periods is convenient and easily configurable.

If you find it hard to keep track of all the different passwords and changes, there are many enterprise solutions for password management.

Milica Dancuk is a technical writer at phoenixNAP who is passionate about programming. Her background in Electrical Engineering and Computing combined with her teaching experience give her the ability to easily explain complex technical concepts through her content.

Speed up connecting to remote servers by enabling passwordless SSH login via public key authentication.

Are you looking to change the root password in Ubuntu? Changing passwords is a good practice and should be.

In Linux, root privileges (or root access) refers to a user account that has full access to all files.

MySQL is a database management system. It’s operated under the Open Source software model and has become a.

Источник