Managing Passwords

Managing Users and Groups within Linux

One of the most important aspects of running a Linux system is the managing of users and groups. These accounts generally belong to a mixture of system accounts for running services and human user accounts for accessing the system and its services. Each account created is identified on the system with its own unique "userid".
Before we learn to add these particular users and groups we will need to have a basic understanding of how this information is stored on your system.



Passwd and Shadow files


When you install your Linux system, one of the first accounts created is that of the "root" user. It is generally this account that is reasonable for the creation of further accounts for users and services on this system. These users are stored within what is commonly known as the "password file". The location of this file is "/etc/passwd". Originally the "/etc/passwd" file held an encrypted form of the password. As this file is readable by all users, it was deemed to be a security risk. On most modern systems the encrypted part of a users password is now stored in what is known as a shadow file. This shadow file can only be modified by the "root" user and certain accounts that are a member of a special group on your system. Although the previous statement is generally true, normal users are allowed to change their own passwd by issuing the "passwd" command. This "passwd" command has special privileges assigned that allow it to execute as root and update the necessary files. We will cover this command little later. If you would like to read about how a normal user can update a file which only root would normally be able to update, then read our section on "SUID" under the file permissions section.



/etc/passwd - The Password File


The passwd file is broken down into seven distinct sections. The first section is the "User ID". This is a unique name given to a user or a service. On older systems this field was filled with a hashed password. However, new systems store the password in a "shadow" file. Where a shadow file is used, an "x" is placed in this filed. The third field contains what is known as an "UID" or a "Unique UserID". This is a numerical number. As mentioned earlier the "root" account is created first and has a "UID" of "0". On many newer systems Uids that are assigned to users are generally in the range of either "500" or "1000" upwards. Uids below this are generally used for services and administration accounts.

passwd

The fourth field is known as the "Group ID". Every user has a default group assigned at creation. Groups are how Linux allows users to share information with other people. Group numbers and their associated names are stored in the file "/etc/group" file. The next section is the "User Info" section. Here you can add Users names, phone numbers and other general information. Originally this field was known by the name of "GECOS" (General Electric Comprehensive Operating System). The sixth section "Home Directory" is the users home area. Generally this are is created automatically based on the UserID. However, this can be set to any valid location. And finally the last section is the default shell. In most cases this will be "BASH". The default shell can be set to any other shell that is available on your system. It is also quite common to see "/bin/false" entries. where these are specified, it prevents that account from being used as a normal login account. Below is an example of a local account on a "Ubuntu Linux System"


john@john-desktop:~$ grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash

john@john-desktop:~$ grep landoflinux /etc/passwd
landoflinux:x:1002:1002:LandofLinux:/home/landoflinux:/bin/bash

john@john-desktop:~$ grep landoflinux /etc/group
landoflinux:x:1002:

The shadow file as we mentioned earlier is where the real hashed/encrypted password is stored. This file "/etc/shadow" is only available to "root" users on a system. This safeguards the stored information within. An example of a test account in "/etc/passwd" and its associated entry in "/etc/shadow" can be found for the user "mytest"


john@john-desktop:~$ grep mytest /etc/passwd
mytest:x:1003:1003:mytest:/home/mytest:/bin/sh

john@john-desktop:~$ sudo grep mytest /etc/shadow
mytest:$6$qBNqm7rX$rLEYlS7qN0Qpci6qlwWA6PxGuNBo.mcG3L.0GGjQhUrG3Xd1o4SQSR/tkfghBy.kfiBWNgn91c/jkdjClRTqk0:15764:0:99999:7:::

The fields within the shadow file are separated into a eight sections by a colon ":"

UserID : UserId (Your Login Name)

Salt combined with hashed password and Algorithm Information : On GNU Linux systems the "$1$" is for MD5, "$2$" is for Blowfish, "$5$ is for SHA-256 and "$6$ is for SHA-512

Last Password Change - Days since 1st January 1970

Minimum number of days required between password changes.

Maximum number of days password is valid for.

Warn - Number of days before a password is to expire. Number of days notice user is given

Inactive - The number of days after the password has expired that the account is then disabled

Expiry - The number of days since the 1st January 1970 that the account can no longer be used.


If no password has been set for an account it will look similar to the example below:


mytest:!:15764:0:99999:7:::

If the account has been locked it will look similar to the example below. Notice the "!" exclamation mark after the UserID field. This indicates that the account is locked.


mytest:!$6$dzFiO.Jx$Zu/8a1NsrkzLWUFyMkx9fQRwcMH3eSXd4NxCsQ3vrTEL8eDqyUlrJ4z/kubeSWfVvWkz/vs2B7id/3MsdXQLi.:15764:0:99999:7:::



Password Management - passwd command examples



One import aspect of maintaining or administrating a Linux system is the management of users and their passwords. Whether you are creating a user for the first time, removing a user or simply resetting a password, you will need a basic understanding of the "passwd" command. Ordinary user have the ability to change their own password simply by issuing the "passwd" command followed by the userid. However it is not unusual for users to forget their passwords and then it is your duty to reset this for that user. As well as setting passwords, you will also need to understand how to "Lock" and "Unlock" an account. You will also need to view the status of a given account.



Change Password



passwd userid : Only the root user can change another users password. Normal users may issue the command without parameters to change their own password.


root@ubuntu01-pc:~# passwd testuser
Enter new UNIX password: 
Retype new UNIX password:
passwd: password updated successfully
$ whoami testuser $ passwd Changing password for testuser. (current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully


Display current status of an accounts password



passwd -S userid : Displays current status of users password.


root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 0 99999 7 -1

The "-S" option requests the status of an userid. The returned results are split into seven fields. The first field is the users login name. The second field indicates whether the users account has been locked (L), has no password set (NP)or has a usable password (P). The third field gives the date of the last password change. The remaining four fields are minimum age, maximum age, warning period and inactivity period for the password. These ages are expressed in the unit of days.

Lock a specified account



passwd -l userid : Locks the specified user account.


root@ubuntu01-pc:~# passwd -u testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 0 99999 7 -1


Unlock a specified account



passwd -u userid : Unlocks the specified user account.


root@ubuntu01-pc:~# passwd -u testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 0 99999 7 -1



Set Min number of days before password change



passwd -n 7 userid : Min number of days before password change.


root@ubuntu01-pc:~# passwd -n 7 testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 99999 7 -1


Set Max number of days before password change



passwd -x 30 userid : Max number of days before password change.


root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 99999 7 -1

root@ubuntu01-pc:~# passwd -x 30 testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 7 -1

Set Warning given before password expires



passwd -w 5 userid : Warning to user given - number of days before password expires.


root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 7 -1

root@ubuntu01-pc:~# passwd -w 5 testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 5 -1





Show password status for ALL users



passwd -a -S : Shows password status for all users.

The following is an extract from the output of the above command:


root@ubuntu01-pc:~# passwd -a -S
root P 03/15/2014 0 99999 7 -1
daemon L 10/16/2013 0 99999 7 -1
bin L 10/16/2013 0 99999 7 -1
sys L 10/16/2013 0 99999 7 -1
sync L 10/16/2013 0 99999 7 -1
games L 10/16/2013 0 99999 7 -1
man L 10/16/2013 0 99999 7 -1
lp L 10/16/2013 0 99999 7 -1
mail L 10/16/2013 0 99999 7 -1
testuser P 05/16/2015 7 30 5 -1



Delete a users password



passwd -d userid : Delete a user's password. This is a quick way to disable a password for an account.


root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 5 -1

root@ubuntu01-pc:~# passwd -d testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser NP 05/16/2015 7 30 5 -1



Expire an account immediately



passwd -e userid : Immediately expire an account. This can be used to force a user to change their password immediately.


root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 5 -1

root@ubuntu01-pc:~# passwd -e testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 01/01/1970 7 30 5 -1



Display Help



passwd -h : Displays options available to the passwd command.


root@ubuntu01-pc:~# passwd -h
Usage: passwd [options] [LOGIN]

Options:
  -a, --all                     report password status on all accounts
  -d, --delete                  delete the password for the named account
  -e, --expire                  force expire the password for the named account
  -h, --help                    display this help message and exit
  -k, --keep-tokens             change password only if expired
  -i, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --lock                    lock the password of the named account
  -n, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -q, --quiet                   quiet mode
  -r, --repository REPOSITORY   change password in REPOSITORY repository
  -R, --root CHROOT_DIR         directory to chroot into
  -S, --status                  report password status on the named account
  -u, --unlock                  unlock the password of the named account
  -w, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
  -x, --maxdays MAX_DAYS        set maximum number of days before password
                                change to MAX_DAYS