30/05/2004
In the realm of Linux system administration, managing user accounts and their associated passwords is a fundamental task. Whether you're a seasoned professional or a curious enthusiast, understanding how to effectively control password policies is paramount for maintaining system security. The passwd command is your primary tool for this, offering a robust set of functionalities that go far beyond just changing a password. This comprehensive guide will delve into the intricacies of the passwd command, from its basic syntax to advanced options, empowering you to disable, expire, lock, and fine-tune password settings on your Linux systems.
- Understanding the passwd Command
- Checking Password Status
- Changing User Passwords
- Disabling a User's Password
- Forcing Password Expiry
- Managing Password Age and Inactivity
- Locking and Unlocking User Accounts
- Advanced passwd Usage
- Comparative Table of passwd Options
- Frequently Asked Questions (FAQs)
- Q: How can I tell if a user's password has expired on Linux?
- Q: What's the difference between deleting a password and locking a password?
- Q: Can a regular user disable another user's password?
- Q: Is it possible to set a password that never expires?
- Q: What happens if an account becomes inactive after password expiry?
- Conclusion
Understanding the passwd Command
The passwd command is an indispensable utility on Linux systems, designed for modifying user account passwords and managing their validity periods. It's a critical component for user account administration, ensuring that passwords meet security standards and are updated regularly. While regular users can only modify their own passwords, a super-user (root or a user with sudo privileges) can change and modify the parameters for any user account on the system.
Basic passwd Syntax
The general syntax for the passwd command is straightforward:
passwd [options] [username]When executed without any arguments by a regular user, it prompts the user to change their own password. When used with sudo and a username, it allows an administrator to set a new password for that specific user. For example, to change the password for a user named 'john.doe', you would use:
sudo passwd john.doeYou will then be prompted to enter the new password twice. Note that for security reasons, the password input will not be displayed on the screen.
Key Files: /etc/passwd and /etc/shadow
On Linux, user information and password hashes are stored in specific system files. It's crucial to understand their roles:
/etc/passwd: This file stores essential user account information, excluding the password itself. Each line represents a user and contains fields like username, user ID (UID), group ID (GID), home directory, and default shell. The password field in this file typically contains an 'x' or '*' indicating that the actual password hash is stored elsewhere./etc/shadow: This file is where encrypted password hashes and password expiration information are securely stored. It's only readable by the root user, providing an additional layer of security. When you use thepasswdcommand, you are indirectly interacting with the contents of this file to update password-related attributes.
Checking Password Status
Before making changes, it's often useful to inspect the current password status of a user account. This provides insights into its last change date, age limits, and more. You can view the password status using the --status or -S option:
passwd --status [username]Or:
passwd -S [username]For example, to check the status of 'john.doe':
sudo passwd -S john.doeThe output will typically display several fields:
[username] [status] [last_change_date] [min_days] [max_days] [warn_days] [inactive_days]
- [username]: The login name of the user.
- [status]: Indicates the password state:
P: Password is set and usable.L: Password is locked (user cannot log in with password).NP: No password is set (user cannot log in with password).
- [last_change_date]: The date of the last password change.
- [min_days]: Minimum number of days between password changes.
- [max_days]: Maximum number of days the password remains valid.
- [warn_days]: Number of days before password expiration when a warning is displayed.
- [inactive_days]: Number of days after password expiration before the account becomes inactive.
To check the password status for all accounts, combine --status with --all (or -S -a):
sudo passwd --status --allChanging User Passwords
As mentioned, changing a user's password is the most common use case for the passwd command. If you are a regular user, simply typing passwd will prompt you to change your own password. As an administrator, you'll use sudo followed by the username:
sudo passwd [username]For instance:
sudo passwd jane.doeYou will be prompted to enter and confirm the new password. Strong password policies might be enforced, preventing the use of weak or easily guessable passwords.
Disabling a User's Password
One of the core functionalities of passwd is the ability to disable a user's password. This effectively removes the password from the account, making it impossible for the user to log in using password-based authentication. This is different from locking, which we'll discuss later. To delete or disable a user's password, use the --delete or -d option:
sudo passwd --delete [username]Or:
sudo passwd -d [username]After executing this command, if you check the user's password status (passwd -S [username]), the status field will change from P (Password set) to NP (No Password). This action is a quick way to prevent password-based logins for an account without deleting the account itself.
Forcing Password Expiry
You might need to force a user to change their password upon their next login, for example, after a temporary password has been issued or as a security measure. The --expire or -e option achieves this:
sudo passwd --expire [username]Or:
sudo passwd -e [username]When the user next attempts to log in, Linux will indicate that their password has expired and will immediately prompt them to set a new one. The password status will show that it has expired and needs to be changed.
Managing Password Age and Inactivity
The passwd command offers granular control over password aging policies, crucial for enforcing strong security practices within an organisation.
Minimum Days Between Password Changes
To prevent users from immediately reverting to an old password or changing it too frequently, you can set a minimum number of days that must pass before a password can be changed again. Use the --mindays or -n option:
sudo passwd --mindays [number_of_days] [username]For example, to enforce a minimum of 31 days:
sudo passwd --mindays 31 alice.smithThe password status report for 'alice.smith' will reflect this change.
Maximum Password Validity Period
To ensure users periodically update their passwords, you can set a maximum number of days a password remains valid before it expires. This is a common security requirement. Use the --maxdays or -x option:
sudo passwd --maxdays [number_of_days] [username]For example, to require a password change every 90 days:
sudo passwd --maxdays 90 bob.jonesAfter 90 days, 'bob.jones' will be prompted to change their password upon login.
Setting Password Warning Days
Users can be given an advance warning before their password expires, prompting them to change it proactively. This helps avoid lockout situations. Use the --warndays or -w option:
sudo passwd --warndays [number_of_days] [username]To warn 'charlie.brown' 7 days before their password expires:
sudo passwd --warndays 7 charlie.brownAccount Inactivity After Expiry
For enhanced security, an account can be automatically disabled if its password has expired and hasn't been changed within a specified number of days. This prevents dormant accounts with expired passwords from being exploited. Use the --inactive or -i option:
sudo passwd --inactive [number_of_days] [username]To disable 'diana.prince's account 30 days after her password expires:
sudo passwd --inactive 30 diana.princeThe last field in the password status will update to reflect this inactivity period.
Locking and Unlocking User Accounts
Locking an account's password is another method to prevent a user from logging in via password authentication. Unlike deleting a password, which removes the hash, locking typically prefixes the password hash with an exclamation mark '!' in the /etc/shadow file, effectively invalidating it. The user might still be able to log in using other authentication methods (e.g., SSH keys), depending on the system configuration.
Locking a User Account
To lock a user's password, use the --lock or -l option:
sudo passwd --lock [username]For example, to lock 'eve.adams's password:
sudo passwd --lock eve.adamsThe password status will change to L, indicating a locked password.
Unlocking a User Account
To restore password-based login for a locked account, use the --unlock or -u option:
sudo passwd --unlock [username]To unlock 'eve.adams's password:
sudo passwd --unlock eve.adamsThe password status will revert to its previous state (e.g., P for password set), allowing the user to log in normally.
Advanced passwd Usage
While the core functionalities cover most scenarios, passwd also offers a few less common but useful options.
Quiet Mode
The --quiet or -q option suppresses the "Changing password for [username]" message, which can be useful in scripts or automated processes where verbose output is not desired.
passwd --quietSpecifying a Password Repository
For more advanced setups where password changes might occur in specific repositories (as defined in /etc/nsswitch.conf), you can use the --repository or -r option to specify which repository to target. This is less common for standard user management.
sudo passwd --repository [repository_name] [username]Changing the Root Directory
The --root or -R option allows you to perform passwd operations on a different root directory. This is typically used in chroot environments or for managing user accounts in an offline system image.
sudo passwd --root /path/to/chroot [username]Comparative Table of passwd Options
Here's a quick reference for the most common and useful passwd options:
| Option | Short Form | Description | Example (for 'user1') |
|---|---|---|---|
--status | -S | Displays the current password status of a user. | passwd -S user1 |
--all | -a | Used with -S to display status for all users. | sudo passwd -S -a |
--delete | -d | Removes the password for a user, disabling password-based login. | sudo passwd -d user1 |
--expire | -e | Forces a user's password to expire, requiring a change at next login. | sudo passwd -e user1 |
--inactive | -i | Sets the number of days after password expiry before the account is disabled. | sudo passwd -i 30 user1 |
--mindays | -n | Sets the minimum number of days between password changes. | sudo passwd -n 7 user1 |
--maxdays | -x | Sets the maximum number of days a password remains valid. | sudo passwd -x 90 user1 |
--warndays | -w | Sets the number of days before expiry to warn the user. | sudo passwd -w 14 user1 |
--lock | -l | Locks a user's password, preventing password-based login. | sudo passwd -l user1 |
--unlock | -u | Unlocks a user's password, restoring password-based login. | sudo passwd -u user1 |
Frequently Asked Questions (FAQs)
Q: How can I tell if a user's password has expired on Linux?
A: You can check the password status using sudo passwd -S [username]. The output will show the last change date and the maximum password age. If the current date is past the last change date plus the maximum days, the password is expired. Additionally, if you've forced an expiry, the status might explicitly indicate it.
Q: What's the difference between deleting a password and locking a password?
A: When you delete a password (passwd -d), you remove the password hash from the /etc/shadow file, setting the status to NP (No Password). This means there's no password to validate against. When you lock a password (passwd -l), you essentially invalidate the existing password hash (often by prefixing it with '!') while it remains in the file, setting the status to L (Locked). Both prevent password-based login, but deleting truly removes the password, while locking merely deactivates it. Unlocking (passwd -u) restores the previous password hash, whereas deleting would require setting a new password.
Q: Can a regular user disable another user's password?
A: No, a regular user can only modify their own password. To disable, delete, lock, or manage password policies for another user, you must have root privileges or be able to execute commands with sudo.
Q: Is it possible to set a password that never expires?
A: Yes, you can set the maximum password age to a very high number (e.g., 99999 days) using sudo passwd -x 99999 [username]. However, for security best practices, it's generally recommended to enforce periodic password changes.
Q: What happens if an account becomes inactive after password expiry?
A: If you set an inactivity period (passwd -i), and the user's password expires and isn't changed within that period, the account will become completely disabled. The user will not be able to log in at all, even if they know the correct (expired) password. An administrator would then need to manually reactivate the account and set a new password or unlock it.
Conclusion
The passwd command is a cornerstone of Linux user management and security. By mastering its various options, you gain precise control over user passwords, from setting age limits and warning periods to outright disabling or locking accounts. This power is essential for any system administrator committed to maintaining a robust and secure Linux environment. Always remember to apply these commands judiciously and in accordance with your organisation's security policies to ensure both usability and protection.
If you want to read more articles similar to Mastering Linux Password Management with `passwd`, you can visit the Automotive category.