Changing User Passwords and Managing Password Policies
Full-Access Members Only
Sorry, this lesson is only available to Server Academy Full-Access members. Become a Full-Access member now and get instant access to this and many more premium courses. Click the button below and get instant access now.
Instructions
Q&A (0)
Notes (0)
Resources (0)
Saving Progress...
Resources
There are no resources for this lesson.
Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.
In this lesson, we will delve into managing passwords on a Linux/Unix system. This includes changing passwords, enforcing password policies, and understanding the formatting of the /etc/shadow file.
Changing Passwords
passwd (Change User Password) To change the password for a user, use the passwd command followed by the username. If you're the root user, you can change the password for any user. Otherwise, you can only change your own password.
passwd john_doe # Changes the password for user john_doeUnderstanding the /etc/shadow File
The /etc/shadow file stores encrypted passwords along with password aging information. Each line in the file corresponds to a user account and is formatted as follows:
username:password:lastchg:min:max:warn:inactive:expire:flagHere is a description of each field shown above:
Note that if some fields are empty, no data will be present. This is why you can see two colons next to each other.
username: The name of the user.password: The encrypted password of the user.lastchg: The number of days since Jan 1, 1970, that the password was last changed.min: The minimum number of days required between password changes.max: The maximum number of days the password is valid.warn: The number of days before password expiration that the user is warned.inactive: The number of days after password expiration that the account is disabled.expire: The number of days since Jan 1, 1970, that the account is disabled.flag: A reserved field for future use.
# Sample entry in /etc/shadow
john_doe:$6$TrnJ1O9s:18724:0:99999:7:::Enforcing Password Policies
Managing Password Requirements through PAM Pluggable Authentication Modules (PAM) provides a flexible mechanism for authenticating users. Through PAM, you can enforce password policies such as password length, complexity, and expiration.
To get started, we can use a utility called libpam-pwquality. Install that with the command below:
sudo apt-get install libpam-pwquality
Next, open the pam_pwquality configuration file located at /etc/security/pwquality.conf with superuser privileges:
sudo vim /etc/security/pwquality.confOnce you have the vim editor opened, use the search command / to search for minlength (type /minlength). Once you locate this field, press I and change the value to something like 12 characters:
minlen = 12Repeat those steps to set the dcredit parameter to -1, which enforces the requirement of at least one digit in the password:
dcredit = -1Save and close the configuration file with the VIM command below:
:wqNow test the updated settings by attempting to change a user's password using the passwd command:
sudo passwd usernameReplace "username" with the actual username. You should now see the new password complexity rules enforced when attempting to change the password.
In this lesson, we covered the following topics:
passwd: Change user passwords.- Understanding the formatting of the
/etc/shadowfile for managing user passwords. - Enforcing password policies using PAM and the libpam-pwquality package.
See you in the next lesson!
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.
