LandofLinux.com

Managing Passwords

Managing Users and Groups within Linux

One of the most important aspects of running a Linux system is the managing of users and groups. These accounts generally belong to a mixture of system accounts for running services and human user accounts for accessing the system and its services. Each account created is identified on the system with its own unique "userid".
Before we learn to add these particular users and groups we will need to have a basic understanding of how this information is stored on your system.

Passwd and Shadow files

When you install your Linux system, one of the first accounts created is that of the "root" user. It is generally this account that is reasonable for the creation of further accounts for users and services on this system. These users are stored within what is commonly known as the "password file". The location of this file is "/etc/passwd". Originally the "/etc/passwd" file held an encrypted form of the password. As this file is readable by all users, it was deemed to be a security risk. On most modern systems the encrypted part of a users password is now stored in what is known as a shadow file. This shadow file can only be modified by the "root" user and certain accounts that are a member of a special group on your system. Although the previous statement is generally true, normal users are allowed to change their own passwd by issuing the "passwd" command. This "passwd" command has special privileges assigned that allow it to execute as root and update the necessary files. We will cover this command little later. If you would like to read about how a normal user can update a file which only root would normally be able to update, then read our section on "SUID" under the file permissions section.

/etc/passwd - The Password File

The passwd file is broken down into seven distinct sections. The first section is the "User ID". This is a unique name given to a user or a service. On older systems this field was filled with a hashed password. However, new systems store the password in a "shadow" file. Where a shadow file is used, an "x" is placed in this filed. The third field contains what is known as an "UID" or a "Unique UserID". This is a numerical number. As mentioned earlier the "root" account is created first and has a "UID" of "0". On many newer systems Uids that are assigned to users are generally in the range of either "500" or "1000" upwards. Uids below this are generally used for services and administration accounts.

The fourth field is known as the "Group ID". Every user has a default group assigned at creation. Groups are how Linux allows users to share information with other people. Group numbers and their associated names are stored in the file "/etc/group" file. The next section is the "User Info" section. Here you can add Users names, phone numbers and other general information. Originally this field was known by the name of "GECOS" (General Electric Comprehensive Operating System). The sixth section "Home Directory" is the users home area. Generally this are is created automatically based on the UserID. However, this can be set to any valid location. And finally the last section is the default shell. In most cases this will be "BASH". The default shell can be set to any other shell that is available on your system. It is also quite common to see "/bin/false" entries. where these are specified, it prevents that account from being used as a normal login account. Below is an example of a local account on a "Ubuntu Linux System"

john@john-desktop:~$ grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash

john@john-desktop:~$ grep landoflinux /etc/passwd
landoflinux:x:1002:1002:LandofLinux:/home/landoflinux:/bin/bash

john@john-desktop:~$ grep landoflinux /etc/group
landoflinux:x:1002:

The shadow file as we mentioned earlier is where the real hashed/encrypted password is stored. This file "/etc/shadow" is only available to "root" users on a system. This safeguards the stored information within. An example of a test account in "/etc/passwd" and its associated entry in "/etc/shadow" can be found for the user "mytest"

john@john-desktop:~$ grep mytest /etc/passwd
mytest:x:1003:1003:mytest:/home/mytest:/bin/sh

john@john-desktop:~$ sudo grep mytest /etc/shadow
mytest:$6$qBNqm7rX$rLEYlS7qN0Qpci6qlwWA6PxGuNBo.mcG3L.0GGjQhUrG3Xd1o4SQSR/tkfghBy.kfiBWNgn91c/jkdjClRTqk0:15764:0:99999:7:::

The fields within the shadow file are separated into a eight sections by a colon ":"

If no password has been set for an account it will look similar to the example below:

mytest:!:15764:0:99999:7:::

If the account has been locked it will look similar to the example below. Notice the "!" exclamation mark after the UserID field. This indicates that the account is locked.

mytest:!$6$dzFiO.Jx$Zu/8a1NsrkzLWUFyMkx9fQRwcMH3eSXd4NxCsQ3vrTEL8eDqyUlrJ4z/kubeSWfVvWkz/vs2B7id/3MsdXQLi.:15764:0:99999:7:::

Password Management - passwd command examples

One import aspect of maintaining or administrating a Linux system is the management of users and their passwords. Whether you are creating a user for the first time, removing a user or simply resetting a password, you will need a basic understanding of the "passwd" command. Ordinary user have the ability to change their own password simply by issuing the "passwd" command followed by the userid. However it is not unusual for users to forget their passwords and then it is your duty to reset this for that user. As well as setting passwords, you will also need to understand how to "Lock" and "Unlock" an account. You will also need to view the status of a given account.

Change Password

root@ubuntu01-pc:~# passwd testuser
Enter new UNIX password: 
Retype new UNIX password:
passwd: password updated successfully


$ whoami
testuser

$ passwd
Changing password for testuser.
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password:
passwd: password updated successfully

Display current status of an accounts password

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 0 99999 7 -1

The "-S" option requests the status of an userid. The returned results are split into seven fields. The first field is the users login name. The second field indicates whether the users account has been locked (L), has no password set (NP)or has a usable password (P). The third field gives the date of the last password change. The remaining four fields are minimum age, maximum age, warning period and inactivity period for the password. These ages are expressed in the unit of days.

Lock a specified account

root@ubuntu01-pc:~# passwd -u testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 0 99999 7 -1

Unlock a specified account

root@ubuntu01-pc:~# passwd -u testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 0 99999 7 -1

Set Min number of days before password change

root@ubuntu01-pc:~# passwd -n 7 testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 99999 7 -1

Set Max number of days before password change

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 99999 7 -1

root@ubuntu01-pc:~# passwd -x 30 testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 7 -1

Set Warning given before password expires

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 7 -1

root@ubuntu01-pc:~# passwd -w 5 testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 5 -1

Show password status for ALL users

The following is an extract from the output of the above command:

root@ubuntu01-pc:~# passwd -a -S
root P 03/15/2014 0 99999 7 -1
daemon L 10/16/2013 0 99999 7 -1
bin L 10/16/2013 0 99999 7 -1
sys L 10/16/2013 0 99999 7 -1
sync L 10/16/2013 0 99999 7 -1
games L 10/16/2013 0 99999 7 -1
man L 10/16/2013 0 99999 7 -1
lp L 10/16/2013 0 99999 7 -1
mail L 10/16/2013 0 99999 7 -1
testuser P 05/16/2015 7 30 5 -1

Delete a users password

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 5 -1

root@ubuntu01-pc:~# passwd -d testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser NP 05/16/2015 7 30 5 -1

Expire an account immediately

root@ubuntu01-pc:~# passwd -S testuser
testuser P 05/16/2015 7 30 5 -1

root@ubuntu01-pc:~# passwd -e testuser
passwd: password expiry information changed.

root@ubuntu01-pc:~# passwd -S testuser
testuser P 01/01/1970 7 30 5 -1

Display Help

root@ubuntu01-pc:~# passwd -h
Usage: passwd [options] [LOGIN]

Options:
  -a, --all                     report password status on all accounts
  -d, --delete                  delete the password for the named account
  -e, --expire                  force expire the password for the named account
  -h, --help                    display this help message and exit
  -k, --keep-tokens             change password only if expired
  -i, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --lock                    lock the password of the named account
  -n, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -q, --quiet                   quiet mode
  -r, --repository REPOSITORY   change password in REPOSITORY repository
  -R, --root CHROOT_DIR         directory to chroot into
  -S, --status                  report password status on the named account
  -u, --unlock                  unlock the password of the named account
  -w, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
  -x, --maxdays MAX_DAYS        set maximum number of days before password
                                change to MAX_DAYS