Managing Passwords


Managing Users and Groups within Linux

One of the most important aspects of running a Linux system is the managing of users and groups. These accounts generally belong to a mixture of system accounts for running services and human user accounts for accessing the system and its services. Each account created is identified on the system with its own unique "userid". Before we learn to add these particular users and groups we will need to have a basic understanding of how this information is stored on your system.

Passwd and Shadow Files

When you install your Linux system, one of the first accounts created is that of the "root" user. It is generally this account that is reasonable for the creation of further accounts for users and services on this system. These users are stored within what is commonly known as the "password file". The location of this file is "/etc/passwd". Originally the "/etc/passwd" file held an encrypted form of the password. As this file is readable by all users, it was deemed to be a security risk. On most modern systems the encrypted part of a users password is now stored in what is known as a shadow file. This shadow file can only be modified by the "root" user and certain accounts that are a member of a special group on your system. Although the previous statement is generally true, normal users are allowed to change their own passwd by issuing the "passwd" command. This "passwd" command has special privileges assigned that allow it to execute as root and update the necessary files. We will cover this command little later. If you would like to read about how a normal user can update a file which only root would normally be able to update, then read our section on "SUID" under the sectionfile: Linux File Permissions

/etc/passwd - The Password File

The passwd file is broken down into seven distinct sections. The first section is the "User ID". This is a unique name given to a user or a service. On older systems this field was filled with a hashed password. However, new systems store the password in a "shadow" file. Where a shadow file is used, an "x" is placed in this filed. The third field contains what is known as an "UID" or a "Unique UserID". This is a numerical number. As mentioned earlier the "root" account is created first and has a "UID" of "0". On many newer systems Uids that are assigned to users are generally in the range of either "500" or "1000" upwards. Uids below this are generally used for services and administration accounts.

passwd

The fourth field is known as the "Group ID". Every user has a default group assigned at creation. Groups are how Linux allows users to share information with other people. Group numbers and their associated names are stored in the file "/etc/group" file. The next section is the "User Info" section. Here you can add Users names, phone numbers and other general information. Originally this field was known by the name of "GECOS" (General Electric Comprehensive Operating System). The sixth section "Home Directory" is the users home area. Generally this are is created automatically based on the UserID. However, this can be set to any valid location. And finally the last section is the default shell. In most cases this will be "BASH". The default shell can be set to any other shell that is available on your system. It is also quite common to see "/bin/false" entries. where these are specified, it prevents that account from being used as a normal login account. Below is an example of a local account on a "Ubuntu Linux System"


john@john-desktop:~$ grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash

john@john-desktop:~$ grep landoflinux /etc/passwd
landoflinux:x:1002:1002:LandofLinux:/home/landoflinux:/bin/bash

john@john-desktop:~$ grep landoflinux /etc/group
landoflinux:x:1002:
                           

The shadow file as we mentioned earlier is where the real hashed/encrypted password is stored. This file "/etc/shadow" is only available to "root" users on a system. This safeguards the stored information within. An example of a test account in "/etc/passwd" and its associated entry in "/etc/shadow" can be found for the user "mytest"


john@john-desktop:~$ grep mytest /etc/passwd
mytest:x:1003:1003:mytest:/home/mytest:/bin/sh

john@john-desktop:~$ sudo grep mytest /etc/shadow
mytest:$6$qBNqm7rX$rLEYlS7qN0Qpci6qlwWA6PxGuNBo.mcG3L.0GGjQhUrG3Xd1o4SQSR/tkfghBy.kfiBWNgn91c/jkdjClRTqk0:15764:0:99999:7:::
                           

The fields within the shadow file are separated into a eight sections by a colon ":"

UserID : UserId (Your Login Name)

Salt combined with hashed password and Algorithm Information : On GNU Linux systems the "$1$" is for MD5, "$2$" is for Blowfish, "$5$ is for SHA-256 and "$6$ is for SHA-512.

Last Password Change - Days since 1st January 1970.

Minimum number of days required between password changes.

Maximum number of days password is valid for.

Warn - Number of days before a password is to expire. Number of days notice user is given.

Inactive - The number of days after the password has expired that the account is then disabled.

Expiry - The number of days since the 1st January 1970 that the account can no longer be used.

If no password has been set for an account it will look similar to the example below:


mytest:!:15764:0:99999:7:::

If the account has been locked it will look similar to the example below. Notice the "!" exclamation mark after the UserID field. This indicates that the account is locked.


mytest:!$6$dzFiO.Jx$Zu/8a1NsrkzLWUFyMkx9fQRwcMH3eSXd4NxCsQ3vrTEL8eDqyUlrJ4z/kubeSWfVvWkz/vs2B7id/3MsdXQLi.:15764:0:99999:7:::

Password Management - passwd command examples

One import aspect of maintaining or administrating a Linux system is the management of users and their passwords. Whether you are creating a user for the first time, removing a user or simply resetting a password, you will need a basic understanding of the "passwd" command. Ordinary user have the ability to change their own password simply by issuing the "passwd" command followed by the userid. However it is not unusual for users to forget their passwords and then it is your duty to reset this for that user. As well as setting passwords, you will also need to understand how to "Lock" and "Unlock" an account. You will also need to view the status of a given account.

Change Password

passwd userid : Only the root user can change another users password. Normal users may issue the command without parameters to change their own password.


root@mint01a:~# passwd testuser
New password: 
Retype new password: 
passwd: password updated successfully


$ whoami
testuser

$ passwd
Changing password for testuser.
Current password: 
New password: 
Retype new password: 
passwd: password updated successfully

Display current status of an accounts password

passwd -S userid : Displays current status of users password.


root@mint01a:~# passwd -S testuser
testuser P 04/18/2021 0 99999 7 -1

chage -l userid


root@mint01a:~# chage -l testuser
Last password change					: Apr 18, 2021
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

Force password change

When you set a password for a user, it is always a good idea to force them to change the password the first time they login to the system. To do this, you will use the "chage -d 0 userid " command as in the example below. Notice, now the output from the "chage" command is indicating the user must change their password.


root@mint01a:~# chage -d 0 testuser
root@mint01a:~# 
root@mint01a:~# chage -l testuser
Last password change					: password must be changed
Password expires					: password must be changed
Password inactive					: password must be changed
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

Lock a Specified Account

passwd -l userid : Locks the specified user account. (Notice the "L" after the userid. This indicates Locked.


root@mint01a:~# passwd -l testuser
passwd: password expiry information changed.
 
root@mint01a:~# passwd -S testuser
testuser L 04/18/2021 0 99999 7 -1

Unlock a specified account

passwd -u userid : Unlocks the specified user account.


root@mint01a:~# passwd -u testuser
passwd: password expiry information changed.
 
root@mint01a:~# passwd -S testuser
testuser P 04/18/2021 0 99999 7 -1

Set Min number of days before password change

passwd -n 7 userid : Min number of days before password change.


root@mint01a:~# passwd -n 7 testuser
passwd: password expiry information changed.

root@mint01a:~# passwd -S testuser
testuser P 04/18/2021 7 99999 7 -1

Set Max number of days before password change

passwd -x 30 userid : Max number of days before password change.


root@mint01a:~# passwd -S testuser
testuser P 04/18/2021 7 99999 7 -1

root@mint01a:~# passwd -x 30 testuser
passwd: password expiry information changed.

root@mint01a:~# passwd -S testuser
testuser P 04/18/2021 7 30 7 -1

Set Warning given before password expires

passwd -w 5 userid : Warning to user given - number of days before password expires.


root@mint01a:~# passwd -S testuser
testuser P 04/18/2021 7 30 7 -1

root@mint01a:~# passwd -w 5 testuser
passwd: password expiry information changed.

root@mint01a:~# passwd -S testuser
testuser P 04/18/2021 7 30 5 -1

Show password status for ALL users

passwd -a -S : Shows password status for all users.

The following is an extract from the output of the command:


john P 10/06/2020 0 99999 7 -1
nvidia-persistenced L 10/06/2020 0 99999 7 -1
sshd L 04/02/2021 0 99999 7 -1
libvirt-qemu L 04/03/2021 0 99999 7 -1
libvirt-dnsmasq L 04/03/2021 0 99999 7 -1
testuser P 04/18/2021 7 30 5 -1

Delete a users password

passwd -d userid : Delete a user's password. This is a quick way to disable a password for an account.


root@mint01a:~# passwd -S testuser
testuser P 04/18/2021 7 30 5 -1

root@mint01a:~# passwd -d testuser
passwd: password expiry information changed.

root@mint01a:~# passwd -S testuser
testuser NP 04/18/2021 7 30 5 -1

Expire an account immediately

passwd -e userid : Immediately expire an account. This can be used to force a user to change their password immediately.


root@mint01a:~# passwd -S testuser
testuser P 04/18/2021 7 30 5 -1

root@mint01a:~# passwd -e testuser
passwd: password expiry information changed.

root@mint01a:~# passwd -S testuser
testuser P 01/01/1970 7 30 5 -1

Display Help

passwd -h : Displays options available to the passwd command.


root@mint01a:~# passwd -h
Usage: passwd [options] [LOGIN]

Options:
  -a, --all                     report password status on all accounts
  -d, --delete                  delete the password for the named account
  -e, --expire                  force expire the password for the named account
  -h, --help                    display this help message and exit
  -k, --keep-tokens             change password only if expired
  -i, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --lock                    lock the password of the named account
  -n, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -q, --quiet                   quiet mode
  -r, --repository REPOSITORY   change password in REPOSITORY repository
  -R, --root CHROOT_DIR         directory to chroot into
  -S, --status                  report password status on the named account
  -u, --unlock                  unlock the password of the named account
  -w, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
  -x, --maxdays MAX_DAYS        set maximum number of days before password
                                change to MAX_DAYS