Password status in linux

Управление паролями в Linux с помощью команды passwd

Оригинал: Password Management in Linux by using passwd command
Автор: Naga Ramesh
Дата публикации: 30 апреля 2016 года
Перевод: А. Кривошей
Дата перевода: апрель 2017 г.

Пароль в Linux — это последовательность символов без пробелов, используемая для идентификации пользователя в операционной системе. Обычно в многопользовательской или хорошо защищенной однопользовательской системе каждому пользователю присваивается уникальное имя (называемое user ID), которое не является секретом. Если пользователь вводит опеределенный ID, необходимо убедиться, что это действительно он. Для этого служит пароль, который знает только этот пользователь. Большинство сетей требуют от своих пользователей периодической смены паролей.

Команда passwd

Команда passwd используется для создания и изменения пользовательских паролей. Обычный пользователь может запустить passwd, чтобы сменить свой собственный пароль, а системный администратор (суперпользователь root) может изменять пароли других пользователей, либо опеределять правила использования и смены пользовательских паролей.

Синтаксис PASSWD

Смена пароля обычного пользователя

Если вы авторизованы как обычный пользователь (в моем случае user1), запуск команды passwd сбрасывает пароль пользователя.

Если вы авторизованы как root, то при запуске команды passwd по умолчанию сбрасывается пароль root, а если вы зададите после команды имя пользователя, то можете сменить пароль этого пользователя.

Вывод информации о статусе пароля

Для показа информации о статусе пароля пользователя используется опция -S команды passwd.

В приведенном выше выводе команды первое поле показывает имя пользователя, затем статус пароля ( PS = Password Set (пароль задан) , LK = Password locked (пароль заблокирован) , NP = No Password (нет пароля) ). Третье поле отображает время последнего изменения пароля, а четвертое и последнее поле — минимальный и максимальный срок действия пароля, срок вывода предупреждения и срок дезактивации пароля.

Мы также можем вывести информацию о статусе паролей всех пользователей с помощью опции –Sa.

Удаление пользовательского пароля

Мы можем удалить пароль заданного пользователя с помощью опции -d.

Блокировка пароля пользователя

С помощью опции «-l» команды passwd можно заблокировать пароль пользователя. Пока пароль заблокирован, пользователь не сможет сменить его.

Для разблокировки пользовательского пароля используется опция -u.

Дезактивация пароля

С помощью опции -i вы можете дезактивировать пароль пользователя, если через «n» дней после истечения срока действия пароля он не сменил его. После этого пользователь не сможет авторизоваться в системе.

С помощью опции -n мы можем задать минимальное количество дней, через которое пользователь сможет сменить пароль. Нулевое значение позволяет менять пароль в любое время.

С помощью опции -w можно задать, за сколько дней до истечения срока действия пароля пользовать получит предупреждение об этом.

Источник

Linux passwd command

About passwd

On Unix-like operating systems, the passwd command is used to change the password of a user account. A normal user can run passwd to change their password, and a system administrator (the superuser) can use passwd to change another user’s password, or define how that account’s password can be used or changed.

This page covers the Linux version of passwd.

Description

The passwd command changes passwords for user accounts. A normal user can only change the password for their account, but the superuser can change the password for any account. passwd can also change or reset the account’s validity period — how much time can pass before the password expires and must be changed.

Before a normal user can change their password, they must first enter their current password for verification. (The superuser can bypass this step when changing another user’s password.)

After the current password is verified, passwd checks to see if the user is allowed to change their password at this time. If not, passwd refuses to continue, and exits.

Otherwise, the user is then prompted twice for a replacement password. Both entries must match for passwd to continue.

Next, the password is tested for complexity. As a general guideline, passwords should consist of at least 6 characters, including one or more of each of the following:

Syntax

Options

The following options change the way passwd operates:

-a, —all	When used with -S (see below), this option shows the password status for all users. This option won’t work if used without -S.
-d, —delete	Delete a user’s password (make it empty). This option is a quick way to disable logins for an account, without disabling the account itself.
-e, —expire	Immediately expire an account’s password. This forces a user to change their password the next time they log in.
-h, —help	Display information about how to use the passwd command.
-i, —inactive INACTIVE	This option is used to disable an account after the password was expired for many days. After a user account has had an expired password for integer INACTIVE days, the user may no longer sign on to the account.
-k, —keep-tokens	Keep password tokens. Indicates that this user’s password should only be changed if it has expired.
-l, —lock	Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value. It does this by adding a character at the beginning of the encrypted password. Note that this does not disable the account. The user may still be able to log in using another authentication method (an SSH key, for example). To disable the account, the superuser can use the usermod command with the option —expiredate 1. This option sets the account’s expiration date to a date in the past — namely Jan 2, 1970. Users with a locked password are not allowed to change their password.
-n, —mindays MIN_DAYS	Set the minimum number of days between password changes to MIN_DAYS. A value of zero for this field indicates that the user may change his/her password at any time.
-q, —quiet	Quiet mode; passwd will operate without displaying any output.
-R, —root CHROOT_DIR	For advanced users: this option applies changes in the chroot directory CHROOT_DIR and use the configuration files from the CHROOT_DIR directory.
-S, —status	Display account status information. The status information consists of 7 fields: The user’s login name password usability: L if the account has a locked password, NP if the account has no password, or P if the account has a usable password date of the last password change minimum password age maximum password age password warning period password inactivity period In fields 4 through 7, password ages are expressed in days. Specifying -a in addition to -S displays password status for all users.
-u, —unlock	Unlock the password of the named account. This option re-enables a password by changing the password back to its value before the -l option was used to lock it.
-w, —warndays WARN_DAYS	Set the number of days of warning before a password change is required. WARN_DAYS is the number of days before the password expiring that a user will be warned that their password is about to expire.
-x, —maxdays MAX_DAYS	Set the maximum number of days a password remains valid. After MAX_DAYS, the password must be changed.

Notes

Password complexity varies depending on the system. Consult your operating system documentation for default complexity rules and how to change them.

On systems that use NIS (Network Information Services), users may not be able to change their password if they are not logged in to the NIS server.

Files used by passwd

/etc/passwd	User account information.
/etc/shadow	Secure user account information.
/etc/pam.d/passwd	PAM configuration for passwd.

Examples

Change your password

Running passwd with no options changes the password of the account running the command. You will first be prompted to enter the account’s current password:

If it is correct, you’ll be asked to enter a new password:

. and to enter the same password again, to verify it:

If the passwords match, the password will be changed.

Change another user’s password

If you have superuser privileges, you can change another user’s password. Here, we prefix the command with sudo to run as the superuser. This command changes the password for user jeff. You are not prompted for jeff‘s current password.

Change your password without knowing your current password

If you need to change your password because you forgot it, you need to log in to the root account. To do this, you need to know the password for user root.

Let’s say your username is sally, and you can’t remember your password. However, you have administrator access to the system: you can log in as root, using the password for that account. Log in as root, and then from the command line, run:

But what if you forgot the password for root as well? In this case, you need to log in to the machine in single-user mode, also known as runlevel 1. This cannot be done over the network, so you need physical access to the machine to boot into this runlevel.

Reboot the machine. When it is booting up, you should be presented with a bootloader menu. On many systems, such as Debian or Ubuntu, the boot menu will include an option for «Recovery Mode» or «Single User Mode» (as in the image below). Select this boot option.

This option boots you into a text-only mode, and log you in as root.

If you need to mount /, do so:

Now change sally‘s password:

When you’re done, reboot your system:

Start the system normally, and you should be able to log in as sally with the new password.

Additional examples

Check the status of the password for the user named ted. Output resembles the following:

Here, we see the user’s name (ted), followed by a P, indicating that his password is currently valid and usable. The password will expire on May 5, 2014. Ted cannot change his password more often than every 2 days, and must change the password every 365 days. He will be warned 7 days before a required password change, and if he allows his password to expire, his account will be disabled 28 days later.

Similar to the above command, but checks the password status for all user accounts, system-wide.

Lock the password for user jane. She cannot to log in until a system administrator unlocks it.

Unlock jane‘s password. It automatically resets to whatever it was before it was locked, and she can log in again.

Expire alan‘s password. The next time he logs in, he will be required to set a new password.

Related commands

chfn — Change a user’s finger information.
finger — List information about a user.
login — Begin a session on a system.
nispasswd — Change NIS+ password information.
nistbladm — Administer NIS+ tables.
useradd — Add a user to the system.
vipw — Safely edit the password file.
yppasswd — Change a network password in an NIS database.

Источник

Linux Check User Password Expiration Date and Time

Linux check user password expiration using chage

1. Open the terminal application
2. Type chage -l userName command to display password expiration information for Linux user account.
3. The -l option passed to the change show account aging information.
4. Check tom user’s password expiry time, run: sudo chage -l tom

Let us see some examples and usage information in details.

View account again information on Linux

To see account aging information such as expiry date and time, enter:

To see account aging info for usernamed vivek, enter:
$ chage -l vivek
Sample outputs:

The above outputs indicates that password aging disabled.

Check the user account password expiry information on Linux

Let us try one more example:
$ sudo chage -l raj
Sample outputs:

It seems that user account scheduled to expire on 01/Jan/2013. You can use the grep command to filter out info too:
$ sudo chage -l raj | grep ‘Password expires’

Change password expiry date

You can set the maximum number of days during which a password is valid. For example, make sure password is valid for 90 days for user named jerry:
sudo chage -M 90 jerry
sudo chage -l jerry
Please note that passing the number -1 will remove checking a password’s validity:
sudo chage -M -1 tom
You can also set the minimum number of days between password changes:
sudo chage -m 30 jerry
However, a value of zero indicates that the user may change his/her password at any time:
sudo chage -m 0 marlena

Set expire date

The syntax is:
sudo chage -E EXPIRE_DATE userName
One can set the date or number of days since January 1, 1970 on which the user’s account will no longer be accessible. The date may also be expressed in the format YYYY-MM-DD (or the format more mmonly used in your area). A user whose account is locked must contact the system administrator before being able to use the system again.
sudo chage -E 2020-03-31 sai
Passing the number -1 as the EXPIRE_DATE will remove an account expiration date:
sudo chage -E -1 tristan

• No ads and tracking
• In-depth guides for developers and sysadmins at Opensourceflare✨
• Join my Patreon to support independent content creators and start reading latest guides:
  • How to set up Redis sentinel cluster on Ubuntu or Debian Linux
  • How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)
  • How to set up Mariadb Galera cluster on Ubuntu or Debian Linux
  • A podman tutorial for beginners – part I (run Linux containers without Docker and in daemonless mode)
  • How to protect Linux against rogue USB devices using USBGuard

Join Patreon ➔

Set warning for the user before password expires

Try using the following syntax to set the number of days of warning before a password change is required:
sudo chage -W WARN_DAYS userName
sudo chage -W 30 raj
The WARN_DAYS option is the number of days prior to the password expiring that a user will be warned his/her password is about to expire. Verify info with following command:
sudo chage -l raj

Conclusion

The chage command changes the number of days between password changes and the date of the last password change. The same command also check user password expiration date and time on Linux. See chage man page for more information here.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via

Источник