Linux view user password

Linux Check User Password Expiration Date and Time

Linux check user password expiration using chage

1. Open the terminal application
2. Type chage -l userName command to display password expiration information for Linux user account.
3. The -l option passed to the change show account aging information.
4. Check tom user’s password expiry time, run: sudo chage -l tom

Let us see some examples and usage information in details.

View account again information on Linux

To see account aging information such as expiry date and time, enter:

To see account aging info for usernamed vivek, enter:
$ chage -l vivek
Sample outputs:

The above outputs indicates that password aging disabled.

Check the user account password expiry information on Linux

Let us try one more example:
$ sudo chage -l raj
Sample outputs:

It seems that user account scheduled to expire on 01/Jan/2013. You can use the grep command to filter out info too:
$ sudo chage -l raj | grep ‘Password expires’

Change password expiry date

You can set the maximum number of days during which a password is valid. For example, make sure password is valid for 90 days for user named jerry:
sudo chage -M 90 jerry
sudo chage -l jerry
Please note that passing the number -1 will remove checking a password’s validity:
sudo chage -M -1 tom
You can also set the minimum number of days between password changes:
sudo chage -m 30 jerry
However, a value of zero indicates that the user may change his/her password at any time:
sudo chage -m 0 marlena

Set expire date

The syntax is:
sudo chage -E EXPIRE_DATE userName
One can set the date or number of days since January 1, 1970 on which the user’s account will no longer be accessible. The date may also be expressed in the format YYYY-MM-DD (or the format more mmonly used in your area). A user whose account is locked must contact the system administrator before being able to use the system again.
sudo chage -E 2020-03-31 sai
Passing the number -1 as the EXPIRE_DATE will remove an account expiration date:
sudo chage -E -1 tristan

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

Set warning for the user before password expires

Try using the following syntax to set the number of days of warning before a password change is required:
sudo chage -W WARN_DAYS userName
sudo chage -W 30 raj
The WARN_DAYS option is the number of days prior to the password expiring that a user will be warned his/her password is about to expire. Verify info with following command:
sudo chage -l raj

Conclusion

The chage command changes the number of days between password changes and the date of the last password change. The same command also check user password expiration date and time on Linux. See chage man page for more information here.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Источник

How To Linux Set or Change User Password

Linux Set User Password

Type following passwd command to change your own password:
$ passwd
Sample Outputs:

The user is first prompted for his/her old password if one is present. This password is then encrypted and compared against the stored password. The user has only one chance to enter the correct password. The super user is permitted to bypass this step so that forgotten passwords may be changed. A new password is tested for complexity. As a general guideline, passwords should consist of 10 to 20 characters including one or more from each of following sets:

1. Lower case alphabetics
2. Upper case alphabetics
3. Digits 0 thru 9
4. Punctuation marks/spacial characters

Linux change password for other user account

You need to login as the root user, type the following command to change password for user vivek:
# passwd vivek
OR
$ sudo passwd vivek
Sample putput:

• vivek – is username or account name.

Passwords do not display to the screen when you enter them. For example:

Linux changing user password using passwd

Linux Change Group Password

When the -g option is used, the password for the named group is changed. In this example, change password for group sales:
# passwd -g sales
The current group password is not prompted for. The -r option is used with the -g option to remove the current password from the named group. This allows group access to all members. The -R option is used with the -g option to restrict the named group for all users.

Changing user passwords on Linux

As a Linux system administrator (sysadmin) you can change password for any users on your server. To change a password on behalf of a user:

1. First sign on or “su” or “sudo” to the “root” account on Linux, run: sudo -i
2. Then type, passwd tom to change a password for tom user
3. The system will prompt you to enter a password twice

To change or set a new root (superuser) password type:
$ sudo passwd

Forcing Linux user to change password at their next login

By default, Linux passwords never expire for users. However, we can force users to change their password the next time they log in via GUI or CLI methods. The syntax is straightforward:
$ sudo passwd -e
$ sudo passwd —expire
Let us immediately expire an account’s password:
$ sudo passwd -e marlena
The system will confirm it:

When user try to login via ssh command, they will see the following on screen:

Locking and Unlocking user password of the named account

Note that the following local command does not disable the account. The user may still be able to login using another authentication token, such as an SSH key. To disable the account, administrators should use either usermod —expiredate 1 or sudo passwd —expire command. Also, users with a locked password are not allowed to change their password to get around the security policy set by sysadmin.

We can lock the password as follows:
$ sudo passwd -l
This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ! at the beginning of the password in the /etc/shadow file. Want to unlock the password, try:
$ sudo passwd -u
The above command option re-enables a password by changing the password back to its previous value. In other words, to the value before using the -l option.

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

A note about setting up a secure Linux password

Compromises in password security typically result from careless password selection. Avoid common password such as:

1. Words which appears in a dictionary
2. Your first and last name
3. Pet names
4. Kids or spouses names
5. License number
6. Date of birth (DoB)
7. Home or office address

I strongly recommend that you generate a unique password for all user accounts using your chosen password manager.

Conclusion

The passwd command line utility is used to update or change user’s password. The encrypted password is stored in /etc/shadow file and account information is in /etc/passwd file. To see all user account try grep command or cat command as follows:
$ cat /etc/passwd
$ grep ‘^userNameHere’ /etc/passwd
$ grep ‘^tom’ /etc/passwd
The guidance given in this quick tutorial should work with any Linux distribution, including Alpine, Arch, Ubuntu, Debian, RHEL, Fedora, Oracle CentOS, SUSE/OpenSUSE and other popular Linux distros.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Источник

passwd command in Linux with Examples

passwd command in Linux is used to change the user account passwords. The root user reserves the privilege to change the password for any user on the system, while a normal user can only change the account password for his or her own account.

Syntax:

Example:

Note: sudo can be used to invoke root privileges by normal users, and can change the password for root itself. This is particularly helpful when a user is member of admin group (holds a position in sudoers list (/etc/sudoers) and can use commands with sudo) and the root password is not set, which is case with many common distributions of linux.

Processing in passwd command:

1. Verify current user password : Once the user enters passwd command, it prompts for current user password, which is verified against the password stored in /etc/shadow file user. The root user can bypass this step and can directly change the password, so as the forgotten passwords may be recovered.
2. Verify password aging information : In Linux, a user password can be set to expire after a given period of time. Also, a user can be prohibited to change his/her password for a period. This password aging information (and the password itself) is stored in a file /etc/shadow.
3. Change the password : After authentication, the user is prompted to enter the new password and verify it by retyping the password.

/etc/shadow file: The shadow file is a list of colon separated values with 9 fields, as shown below:

• field 1: User name.
• field 2: Encrypted Password.
• field 3: Number of days since January 1, 1970 to when the password was last changed.
• field 4: Minimum number of days for which password can not be changed. (value 0 means it can be changed anytime).
• field 5: Number of days after password must be changed. (value 99999 means that the password never expires).
• field 6: Number of days to warn user for expiring password.
• field 7: Number of days after password expires that the account is disabled.
• field 8: The number of days from January 1, 1970 to the date when an account was disabled.
• field 9: This field is reserved for some possible future use.

passwd options:

• -d, –delete: This option deletes the user password and makes the account password-less.
• -e, –expire: This option immediately expires the account password and forces the user to change password on their next login.

-h, –help: Display help related to the passwd command.

-i, –inactive INACTIVE_DAYS: This option is followed by an integer, INACTIVE_DAYS, which is the number of days after the password expires that the account will be deactivated.

-k, –keep-tokens: This option is used when you only want to change the password if it is expired. It keeps the authentication tokens for the authentication if the password is not yet expired, even if you requested to change it. Note that if the expiry period for a user is set to 99999, then this option will not keep tokens and the password will be changed.

-l, –lock: Lock the password of user. This appends the encrypted password of the user with a character ‘!’, and thus making it unable to match with any of input password combinations. This does not disable the account but prevents the user from logging in using a password. Though other authentication methods like ssh keys can be used to login to the account.

-n, –mindays MIN_DAYS: Change the minimum number of days between password changes to MIN_DAYS so that the user can’t change the password for MIN_DAYS.

-q, –quiet: This option is used for quiet mode. While using this option to change a password, the message “Changing password for $user.”, which usually gets printed before changing a password, does not get echoed.

-r, –repository REPO: This option is used to change password for repository named “REPO”.

-R, –root CHROOT_DIR: Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory. This basically changes the root directory for the passwd process for once, and since CHROOT_DIR is a sub-directory of the root, it can not access the configuration files outside the CHROOT_DIR.

-S, –status: Shows the password status (7 fields) of user in the following format:

The first field is the user’s login name. The second field indicates if the user account has a locked password (L), has no Password (NP), or has a usable password (P). The third field gives the date of the last password change. The next four fields are the minimum age, maximum age, warning period, and inactivity period for the password. These ages are expressed in days.

-S [, –status] -a [, –all]: This combination of options shows password status for all users. Note that -a or –all cannot be used without -S option.

-u, –unlock: Unlock the password of an account.

-w, –warndays WARN_DAYS: This option is used to change the number of days before the password is to expire, to display the warning for expiring password.

-x, –maxdays MAX_DAYS Set the maximum number of days for which the password remains valid. After MAX_DAYS, the password will expire and the user will be forced to change password.

Источник