Managing Passwords
Managing Users and Groups within Linux
One of the most important aspects of running a Linux system is the managing of users and groups. These accounts generally belong to a mixture of system accounts for running services and human user accounts for accessing the system and its services. Each account created is identified on the system with its own unique "userid".
Before we learn to add these particular users and groups we will need to have a basic understanding of how this information is stored on your system.
Passwd and Shadow files
When you install your Linux system, one of the first accounts created is that of the "root" user. It is generally this account that is reasonable for the creation of further accounts for users and services on this system. These users are stored within what is commonly known as the "password file". The location of this file is "/etc/passwd". Originally the "/etc/passwd" file held an encrypted form of the password. As this file is readable by all users, it was deemed to be a security risk. On most modern systems the encrypted part of a users password is now stored in what is known as a shadow file. This shadow file can only be modified by the "root" user and certain accounts that are a member of a special group on your system. Although the previous statement is generally true, normal users are allowed to change their own passwd by issuing the "passwd" command. This "passwd" command has special privileges assigned that allow it to execute as root and update the necessary files. We will cover this command little later. If you would like to read about how a normal user can update a file which only root would normally be able to update, then read our section on "SUID" under the file permissions section.
/etc/passwd - The Password File
The passwd file is broken down into seven distinct sections. The first section is the "User ID". This is a unique name given to a user or a service. On older systems this field was filled with a hashed password. However, new systems store the password in a "shadow" file. Where a shadow file is used, an "x" is placed in this filed. The third field contains what is known as an "UID" or a "Unique UserID". This is a numerical number. As mentioned earlier the "root" account is created first and has a "UID" of "0". On many newer systems Uids that are assigned to users are generally in the range of either "500" or "1000" upwards. Uids below this are generally used for services and administration accounts.
The fourth field is known as the "Group ID". Every user has a default group assigned at creation. Groups are how Linux allows users to share information with other people. Group numbers and their associated names are stored in the file "/etc/group" file. The next section is the "User Info" section. Here you can add Users names, phone numbers and other general information. Originally this field was known by the name of "GECOS" (General Electric Comprehensive Operating System). The sixth section "Home Directory" is the users home area. Generally this are is created automatically based on the UserID. However, this can be set to any valid location. And finally the last section is the default shell. In most cases this will be "BASH". The default shell can be set to any other shell that is available on your system. It is also quite common to see "/bin/false" entries. where these are specified, it prevents that account from being used as a normal login account. Below is an example of a local account on a "Ubuntu Linux System"
john@john-desktop:~$ grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash
john@john-desktop:~$ grep landoflinux /etc/passwd
landoflinux:x:1002:1002:LandofLinux:/home/landoflinux:/bin/bash
john@john-desktop:~$ grep landoflinux /etc/group
landoflinux:x:1002:
The shadow file as we mentioned earlier is where the real hashed/encrypted password is stored. This file "/etc/shadow" is only available to "root" users on a system. This safeguards the stored information within. An example of a test account in "/etc/passwd" and its associated entry in "/etc/shadow" can be found for the user "mytest"
john@john-desktop:~$ grep mytest /etc/passwd
mytest:x:1003:1003:mytest:/home/mytest:/bin/sh
john@john-desktop:~$ sudo grep mytest /etc/shadow
mytest:$6$qBNqm7rX$rLEYlS7qN0Qpci6qlwWA6PxGuNBo.mcG3L.0GGjQhUrG3Xd1o4SQSR/tkfghBy.kfiBWNgn91c/jkdjClRTqk0:15764:0:99999:7:::
The fields within the shadow file are separated into a eight sections by a colon ":"
Salt combined with hashed password and Algorithm Information : On GNU Linux systems the "$1$" is for MD5, "$2$" is for Blowfish, "$5$ is for SHA-256 and "$6$ is for SHA-512
Last Password Change - Days since 1st January 1970
Minimum number of days required between password changes.
Maximum number of days password is valid for.
Warn - Number of days before a password is to expire. Number of days notice user is given
Inactive - The number of days after the password has expired that the account is then disabled
Expiry - The number of days since the 1st January 1970 that the account can no longer be used.
If no password has been set for an account it will look similar to the example below:
mytest:!:15764:0:99999:7:::
If the account has been locked it will look similar to the example below. Notice the "!" exclamation mark after the UserID field. This indicates that the account is locked.
mytest:!$6$dzFiO.Jx$Zu/8a1NsrkzLWUFyMkx9fQRwcMH3eSXd4NxCsQ3vrTEL8eDqyUlrJ4z/kubeSWfVvWkz/vs2B7id/3MsdXQLi.:15764:0:99999:7:::
Password Management - passwd command examples
One import aspect of maintaining or administrating a Linux system is the management of users and their passwords. Whether you are creating a user for the first time, removing a user or simply resetting a password, you will need a basic understanding of the "passwd" command. Ordinary user have the ability to change their own password simply by issuing the "passwd" command followed by the userid. However it is not unusual for users to forget their passwords and then it is your duty to reset this for that user. As well as setting passwords, you will also need to understand how to "Lock" and "Unlock" an account. You will also need to view the status of a given account.
Change Password
passwd userid : Only the root user can change another users password. Normal users may issue the command without parameters to change their own password.
root@ubuntu01-pc:~# passwd testuser
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
$ whoami
testuser
$ passwd
Changing password for testuser.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Display current status of an accounts password
passwd -S userid : Displays current status of users password.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 0 99999 7 -1
The "-S" option requests the status of an userid. The returned results are split into seven fields. The first field is the users login name. The second field indicates whether the users account has been locked (L), has no password set (NP)or has a usable password (P). The third field gives the date of the last password change. The remaining four fields are minimum age, maximum age, warning period and inactivity period for the password. These ages are expressed in the unit of days.
Lock a specified account
passwd -l userid : Locks the specified user account.
root@ubuntu01-pc:~# passwd -u testuser
passwd: password expiry information changed.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 0 99999 7 -1
Unlock a specified account
passwd -u userid : Unlocks the specified user account.
root@ubuntu01-pc:~# passwd -u testuser
passwd: password expiry information changed.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 0 99999 7 -1
Set Min number of days before password change
passwd -n 7 userid : Min number of days before password change.
root@ubuntu01-pc:~# passwd -n 7 testuser
passwd: password expiry information changed.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 99999 7 -1
Set Max number of days before password change
passwd -x 30 userid : Max number of days before password change.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 99999 7 -1
root@ubuntu01-pc:~# passwd -x 30 testuser
passwd: password expiry information changed.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 7 -1
Set Warning given before password expires
passwd -w 5 userid : Warning to user given - number of days before password expires.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 7 -1
root@ubuntu01-pc:~# passwd -w 5 testuser
passwd: password expiry information changed.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 5 -1
Show password status for ALL users
passwd -a -S : Shows password status for all users.
The following is an extract from the output of the above command:
root@ubuntu01-pc:~# passwd -a -S
root P 03/15/2014 0 99999 7 -1
daemon L 10/16/2013 0 99999 7 -1
bin L 10/16/2013 0 99999 7 -1
sys L 10/16/2013 0 99999 7 -1
sync L 10/16/2013 0 99999 7 -1
games L 10/16/2013 0 99999 7 -1
man L 10/16/2013 0 99999 7 -1
lp L 10/16/2013 0 99999 7 -1
mail L 10/16/2013 0 99999 7 -1
testuser P 05/16/2015 7 30 5 -1
Delete a users password
passwd -d userid : Delete a user's password. This is a quick way to disable a password for an account.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 5 -1
root@ubuntu01-pc:~# passwd -d testuser
passwd: password expiry information changed.
root@ubuntu01-pc:~# passwd -S testuser
testuser NP 05/16/2015 7 30 5 -1
Expire an account immediately
passwd -e userid : Immediately expire an account. This can be used to force a user to change their password immediately.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 5 -1
root@ubuntu01-pc:~# passwd -e testuser
passwd: password expiry information changed.
root@ubuntu01-pc:~# passwd -S testuser
testuser P 01/01/1970 7 30 5 -1
Display Help
passwd -h : Displays options available to the passwd command.
root@ubuntu01-pc:~# passwd -h
Usage: passwd [options] [LOGIN]
Options:
-a, --all report password status on all accounts
-d, --delete delete the password for the named account
-e, --expire force expire the password for the named account
-h, --help display this help message and exit
-k, --keep-tokens change password only if expired
-i, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --lock lock the password of the named account
-n, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-q, --quiet quiet mode
-r, --repository REPOSITORY change password in REPOSITORY repository
-R, --root CHROOT_DIR directory to chroot into
-S, --status report password status on the named account
-u, --unlock unlock the password of the named account
-w, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
-x, --maxdays MAX_DAYS set maximum number of days before password
change to MAX_DAYS