Changing User Passwords and Managing Password Policies
Full-Access Members Only
Sorry, this lesson is only available to Server Academy Full-Access members. Become a Full-Access member now and get instant access to this and many more premium courses. Click the button below and get instant access now.
There are no resources for this lesson.
In this lesson, we will delve into managing passwords on a Linux/Unix system. This includes changing passwords, enforcing password policies, and understanding the formatting of the
passwd (Change User Password) To change the password for a user, use the
passwd command followed by the username. If you're the root user, you can change the password for any user. Otherwise, you can only change your own password.
passwd john_doe # Changes the password for user john_doe
/etc/shadow file stores encrypted passwords along with password aging information. Each line in the file corresponds to a user account and is formatted as follows:
Here is a description of each field shown above:
username: The name of the user.
password: The encrypted password of the user.
lastchg: The number of days since Jan 1, 1970, that the password was last changed.
min: The minimum number of days required between password changes.
max: The maximum number of days the password is valid.
warn: The number of days before password expiration that the user is warned.
inactive: The number of days after password expiration that the account is disabled.
expire: The number of days since Jan 1, 1970, that the account is disabled.
flag: A reserved field for future use.
# Sample entry in /etc/shadow john_doe:$6$TrnJ1O9s:18724:0:99999:7:::
Enforcing Password Policies
Managing Password Requirements through PAM Pluggable Authentication Modules (PAM) provides a flexible mechanism for authenticating users. Through PAM, you can enforce password policies such as password length, complexity, and expiration.
To get started, we can use a utility called
libpam-pwquality. Install that with the command below:
sudo apt-get install libpam-pwquality
Next, open the
pam_pwquality configuration file located at
/etc/security/pwquality.conf with superuser privileges:
sudo vim /etc/security/pwquality.conf
Once you have the vim editor opened, use the search command
/ to search for
/minlength). Once you locate this field, press I and change the value to something like 12 characters:
minlen = 12
Repeat those steps to set the
dcredit parameter to -1, which enforces the requirement of at least one digit in the password:
dcredit = -1
Save and close the configuration file with the VIM command below:
Now test the updated settings by attempting to change a user's password using the
sudo passwd username
Replace "username" with the actual username. You should now see the new password complexity rules enforced when attempting to change the password.
In this lesson, we covered the following topics:
passwd: Change user passwords.
- Understanding the formatting of the
/etc/shadowfile for managing user passwords.
- Enforcing password policies using PAM and the libpam-pwquality package.
See you in the next lesson!
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.