🌐 🇵🇱 Polski · 🇬🇧 EN
You have surely noticed that in the previous chapter, no passwords were set when creating users. Does this mean that anyone can log in to the created accounts? Well, you cannot log in to these accounts until passwords are set; the accounts remain locked. The following commands are used for password management:
- passwd - Set or change a password for a user
- chage - Configure password parameters (complexity, expiration time)
- pwck - Verify the integrity of all password files
When creating a user, you can use the "-p" flag to assign a password immediately, but this requires entering the password in plain text on the screen, and someone walking by could see it. A better method is to use the "passwd" command:
Syntax of the passwd command: # passwd [options] LOGIN
Options for the passwd command:
- -l - Lock the user account
- -u - Unlock the user account
- -s - Set the password status for the account
Let's set a new password :
# passwd user02
Changing password for user user02.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Now, user02 will be prompted for a password when logging into the system. This is an individual account on a specific system, and it is local to it only. If a user needs to log in to another system, they must also have an account and password created there.
To enable the creation of user accounts in a single central database, thereby allowing logins across all systems in a given network, you can use additional software such as OpenLDAP or RedHat Directory Server.
At this moment, we will not be discussing domain login systems, etc. The good news is that the created user accounts can be used for SSH and FTP services if they are enabled on the system. Now it has become clear how to enable and secure a user account.
WHERE ARE THE PASSWORDS? - PASSWORD FILES
Passwords in RedHat and other Linux systems are stored in the following files:
WHERE ARE THE PASSWORDS? - PASSWORD FILES
Passwords in RedHat and other Linux systems are stored in the following files:
- /etc/passwd
- /etc/shadow
Structure of the /etc/passwd file:
<username>:<password placeholder>:<UID>:<GID>:<comments>:<home dir>:<shell>
For User02, it looks like this:
# cat /etc/passwd | grep user02
user02:x:501:501:Avg Joe:/home/user02:/bin/bash
When creating a new system user, you can always check the contents of this file to verify if it was created correctly. You can see all the options set at the time of user creation here. In the password field, you see the ":x:" symbol; it is actually stored in another location in /etc/shadow.
Structure of the /etc/shadow file:
<username>:<encrypted password>:<last passwd change>:<min>:<max>:<warn>:<inactive>:<expires>:<not used>
To see information regarding a specific user:
# cat /etc/shadow | grep user02
user02:$1$cMT6t6Ld$OXCCg5Pm2v2/YXxEjmz9O1:14767:0:99999:7:::
We see the username and the encrypted password. The next column, "14767", is the number of days since the password was last changed. The subsequent fields are the number of days until a password change is required ("0") and the number of days the password is valid ("99999"). These values can be modified using the chage command.
Syntax of the chage command: # chage [options] User
Options for the chage command:
- -d LAST_DAY - Number of days until password change
- -E EXPIRE_DATE - Account expiration date
- -I INACTIVE - Password change before account expires
- -l - Information about account aging
- -m MIN_DAYS - Minimum number of days between password changes
- -M MAX_DAYS - Maximum number of days the password is valid
- -W WARN_DAYS - Number of days before expiration to show a warning
Step 1 - Check password information for a given user:
# chage -l user03
Last password change : Oct
26, 2010
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Step 2 - Set account expiration to a specific date:
# chage -E 2011-10-28 user03
Step 3 - Verify the changes made:
# chage -l user03
Last password change : Oct
26, 2011
Password expires : never
Password inactive : never
Account expires : Oct 28, 2011
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
In the fourth line, you can see the set account expiration date.
When adding and removing users, it may happen that something does not work correctly, and the reason is that password files may not be consistent. To verify password consistency, let's use the "pwck" command.
# pwck
user adm: directory /var/adm does not exist
user news: directory /etc/news does not exist
user uucp: directory /var/spool/uucp does not exist
pwck: no changes
If new employees are expected to join the company and the boss demands that their accounts be prepared in advance so they don't have to wait for anything upon arrival, we already know that creating user accounts without passwords is not the best solution. A good practice is to create accounts with agreed-upon default passwords and lock them.
Step 1 - Creating a new account
# useradd -c “New User” user06
Step 2 - Setting a default password
# passwd user06
Changing password for user user06.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Step 3 - Locking the account
# usermod -L user06 (adding "!" before the password in /etc/shadow)
or
# usermod -s /bin/nologin user06 (change in /etc/passwd)
or
# usermod -s /bin/nologin user06 (change in /etc/passwd)
Step 4 - Verifying if the account is locked
# cat /etc/shadow | grep user06
user06:!$1$t9WeO2v2$MQb3YrqtNPp6n96ALudti0:14805:0:99999:7:::
or
# cat /etc/passwd | grep user06 ( /bin/nologin)
or
# cat /etc/passwd | grep user06 ( /bin/nologin)
Step 5 - Unlocking the account
# usermod -U user06
Step 6 - Verifying the account
# cat /etc/shadow | grep user06
user06:$1$t9WeO2v2$MQb3YrqtNPp6n96ALudti0:14805:0:99999:7:::
The differences can be seen in the appearance and disappearance of the exclamation mark "!". If it is absent, the user should be able to log in without any issues. In further parts, it will be shown how to automate this process using the cron tool.
Comments