- How to check last password change date of user in Linux/Unix
- Check last password change date
- For system user
- Understanding shadow file format and fields.
- For Active Directory User
- Check password expiration in Linux
- passwd command
- Check password status
- Passwd Command in Linux – Options + Examples
- Prerequisites
- Passwd Command
- Passwd command Options
- Passwd Command Examples
- Account lock unlock status in Linux
- Solution :
How to check last password change date of user in Linux/Unix
The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change their password. It uses /etc/passwd and /etc/shadow to get user’s password related details such as to check last password change date, password expiry and aging related information.
Check last password change date
For system user
chage command reads last password change date from file /etc/shadow . The date of last password change is stored in 3rd field in file /etc/shadow
To view account aging information for user deepak using chage command
# chage -l deepak Last password change : Nov 09, 2019 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Understanding shadow file format and fields.
The information is stored not exactly as date+time but as number of days since Jan 1, 1970. Example given below.
test::16681:0:99999:7::19691002: ^ |---------- Here
We have 9 fields in /etc/shadow. The meanings of each field in the order they are present:
- sp_namp — pointer to null-terminated user name
- sp_pwdp — pointer to null-terminated password
- sp_lstchg — days since Jan 1, 1970 password was last changed
- sp_min — days before which password may not be changed
- sp_max — days after which password must be changed
- sp_warn — days before password is to expire that user is warned of pending password expiration
- sp_inact — days after password expires that account is considered inactive and disabled
- sp_expire — days since Jan 1, 1970 when account will be disabled
- sp_flag — reserved for future use
As you see the fist section can be used to check last password change date of user
# chage -l deepak | head -n 1 Last password change : Nov 09, 2019
But the downside here is that root user can also change last password change date using » -d «. Here I change user deepak’s last password change date to 23rd Nov 2019
As you see this option may not be very reliable in some cases so you can rely on /var/log/* files to check the password change history of a user. You can search for strings such as » passwd » or related match depending upon your distribution to get password change history of a user. Anyhow in production environment normal user will not have privilege to change last password change date.
Next check last password change date for user deepak
# chage -l deepak | head -1 Last password change : Nov 23, 2019
For Active Directory User
But what if your Linux system is connected to Windows Active Directory , so to check last password change date of AD user you will need access to the Windows Active Directory node. I am not aware of any tool which can show last password change related details of an Active Directory user on Linux .
Please do let me know via comment section if you are familiar with any tool. On Windows AD you can use » net user » using powershell to check when password expires for AD user.
Syntax:
I have an AD user amit on my RHEL 7 Linux client which is connected to Windows Active Directory
# id golinuxcloud.com\\amit uid=1407601118(amit) gid=1407600513(domain users) groups=1407600513(domain users)
For example to check last password change date of Active Directory user amit , from the powershell CLI of Windows Server 2012
PS C:\Users\Administrator> net user amit /domain User name amit Full Name admit Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 11/24/2019 12:20:58 PM Password expires 1/5/2020 12:20:58 PM Password changeable 11/25/2019 12:20:58 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users The command completed successfully.
Check password expiration in Linux
Using chage command you can also check password expiration date of a user in Linux, and of course change it. Now to check password expiration date of user deepak
# chage -l deepak | head -n2 Last password change : Nov 23, 2019 Password expires : never
So now the password is set to » never expire » for deepak . To change password expiration date of user deepak we will use » -M «. Using -M we wet the maximum number of days during which a password is valid. So here we set password expiration after 30 days
Now check password expiration date of deepak
# chage -l deepak | head -n2 Last password change : Nov 23, 2019 Password expires : Dec 23, 2019
passwd command
We have another tool passwd command in Linux which most of us mostly use to change password of user. But passwd command can do much more such as, check password status , reset password’s failed login attempts , lock and unlock user and many more.
Check password status
You can also check password status of user with passwd command. Here -S will output a short information about the status of the password for a given account
# passwd -S deepak deepak PS 2019-08-31 0 99999 7 -1 (Password set, SHA512 crypt.)
You can also check last password change date of a user using » passwd -S «. Observe the third field of below output to check last password change date of the provided user above which is in synch with chage command output from the same Linux machine.
# chage -l deepak | head -n 1 Last password change : Aug 31, 2019
In case the password is locked for user deepak , the check password status output would be like below
# passwd -S deepak deepak LK 2019-11-23 0 30 7 -1 (Password locked.)
Lastly I hope the steps from the article to check last password change date and password aging information of system and active directory user in Linux was helpful. So, let me know your suggestions and feedback using the comment section.
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!
Passwd Command in Linux – Options + Examples
Security is one of the many bragged features about Linux and it can be justified by the way it manages and authenticates its users. Authentication of users is done in Linux through passwords and public keys.
Linux distributions allow to set administrative accounts during the OS installation and this can be changed later if you have the required privilege. Generally, there is no default password set for any user accounts in Linux. When new users are created using the useradd, the account doesn’t have a password; in order to login, the password has to be created separately.
In this tutorial, we’ll be learning about passwd command in Linux to change passwords in Linux.
Prerequisites
- Any Linux system
- Basic knowledge of Linux command line
- An existing user account
- Required privilege to run the command
Passwd Command
passwd is a command that changes user account passwords in the Linux system. A regular user has the privilege to only change the password for their individual account while a superuser (root) exercises the privilege to change passwords for any account in the system.
The passwd command changes the user’s password by modifying the passwords that are stored as encrypted strings in the /etc/shadow file. It can also be used to change the validity periods and other related settings for passwords associated with the account.
After entering the passwd command in the terminal, users first need to enter their current password for verification. Superusers are exempt from this step when changing the passwords for other accounts, especially necessary to reset the forgotten passwords for user accounts.
After verifying the current password, passwd makes sure if the current user has the privilege to alter the password.
Only if the current user has the privilege, s/he is prompted for a new password. It checks the complexity of the set user passwords in the next step. If the password passes the complexity test, passwd prompts for retyping the new password. If the two passwords match, a new password is set for the user.
The configuration files passwd uses are:
- /etc/passwd — stores the user account information
- /etc/shadow — stores secure user account information
- /etc/pam.d/passwd — stores PAM configuration for passwd
Passwd command Options
Option | Description |
-a , —all | Display password status of every account in the system |
-d , —delete | Remove user password |
-e , —expire | Expire user’s password immediately |
-h , —help | Show this help information |
-k , —keep-tokens | Change password only in case of expired authentication tokens |
-i , —inactive INACTIVE | Deactivate the password after INACTIVE number of days following the password expiry |
-l , —lock | Lock the password for the account specified |
-n , —mindays MIN_DAYS | Set the minimum number of days between password changes to MIN_DAYS |
-q , —quiet | Enable quiet mode |
-r , —repository REPOSITORY | Change password in REPOSITORY repository |
-R , —root CHROOT_DIR | Specify directory to chroot into |
-S , —status | Display account status information |
-u , —unlock | Unlock the password of the named account |
-w , —warndays WARN_DAYS | Set the number of days before the required password change the user will be warned to WARN_DAYS |
-x , —maxdays MAX_DAYS | Set the maximum number of days the password remains valid for a user to MAX_DAYS |
Passwd Command Examples
Now, we’ll be seeing the passwd commands in action with the following examples.
Account lock unlock status in Linux
To check the current password status of the account in Linux.
Solution :
1. To check if the account is locked or not
Below are two examples of command outputs when the account is locked and when the account is not locked.
If the account is locked out then passwd -S clearly shows Password locked or else it will show Password set status.
# passwd -S user1 user1 LK 2016-10-01 0 90 7 -1 (Password locked.) # passwd -S user1 user1 PS 2016-10-01 0 90 7 -1 (Password set, MD5 crypt.)
Also by observing the encrypted password field in /etc/shadow file, account status can be determined. If encrypted password entry is preceded by !! then the account is locked.
# cat /etc/shadow |grep -i user1 user1:$1$ZFXgKhSG$lroasdrS0QM4iji.4h1:17075:0:90:7. # cat /etc/shadow |grep -i user1 user1!!$1$ZFXgKhSG$lroasdrS0QM4iji.4h1:17075:0:90:7.
2. Lock account manually.
Sometimes it is advisable to lock accounts manually if you are suspecting some malicious activity from account. In such cases, the account can be locked instantly using the below command. Please be advised that current live sessions of that account are not affected when you are locking it out. You have to clear off /terminate currently active sessions manually to kick the user out of the system. The user won’t be able to log in to the system after the lockout.
# passwd -l user1 Locking password for user user1. passwd: Success
3. Unlock the account manually.
To unlock any locked account on the system below command can be used. Like above active sessions are not affected here as well.
# passwd -u user1 Unlocking password for user user1. passwd: Success.