Click on each book below to review & buy on Amazon.

As an Amazon Associate, I earn from qualifying purchases.

RHCSA - Manage Users & Groups: Change Passwords & Adjust Password Aging For Local User Accounts

/etc/shadow File

The /etc/shadow file is a system file that stores encrypted user passwords and related account information. It is readable only by the root user, ensuring that unauthorized access to password data is prevented. Each line in the /etc/shadow file corresponds to a user account on the system and consists of several fields separated by colons (:).

The fields in the /etc/shadow file are as follows:

Username: This field contains the username of the user account.
Password: The password field stores the encrypted password or password hash. It is represented by a series of characters that cannot be easily reversed back to the original password.
Last Password Change: This field records the number of days since the Unix epoch (January 1, 1970) when the password was last changed. It helps in enforcing password expiration policies.
Minimum Password Age: This field indicates the minimum number of days a user must wait before changing their password again. It prevents users from changing their passwords too frequently.
Maximum Password Age: The maximum password age field specifies the number of days a password is valid before the system prompts the user to change it. It helps enforce password rotation policies.
Password Warning Period: This field determines the number of days before password expiration that the user receives a warning message. It reminds users to change their passwords before they expire.
Password Inactivity Period: The password inactivity field specifies the number of days after the password has expired before the account is locked. If the user does not change their password within this period, their account is temporarily disabled.
Account Expiration Date: This field indicates the date (in the format YYYY-MM-DD) when the user account will be automatically disabled. After this date, the user will no longer be able to log in.
Reserved Field: This field is reserved for future use and is currently unused.

/etc/login.defs File

The settings specified in the /etc/login.defs file are used during user account creation and password-related operations. When a new user account is created, the system checks /etc/login.defs for default values to assign to attributes such as password expiration, minimum and maximum UID and GID, and more.

Here are some common settings and their explanations:

PASS_MAX_DAYS: This setting determines the maximum number of days a password is valid before it must be changed. It helps enforce password expiration policies and enhances security.
PASS_MIN_DAYS: Specifies the minimum number of days that must pass before a user can change their password again. It helps prevent users from frequently changing their passwords.
PASS_WARN_AGE: Sets the number of days before the password expiration when users receive a warning message. It helps remind users to change their passwords before they expire.
LOGIN_RETRIES: Determines the maximum number of login retries permitted before an account is locked. It helps prevent brute-force attacks by locking out accounts after repeated failed login attempts.
LOGIN_TIMEOUT: Defines the duration (in seconds) for which the system waits for user input during the login process. If no input is received within this time frame, the login attempt is terminated.
UID_MIN and UID_MAX: These settings define the range of UIDs (user IDs) that are allocated for regular user accounts. The UID_MIN setting specifies the minimum UID, while UID_MAX specifies the maximum UID.
GID_MIN and GID_MAX: Similar to UID_MIN and UID_MAX, these settings define the range of GIDs (group IDs) allocated for regular groups.

Changing Passwords For Local Accounts

The passwd command is used to manage user account passwords and provides the following functionalities:

Password Creation: With passwd, you can set or change a user's password. It prompts you to enter and confirm the new password securely.
Password Policy: passwd enforces certain password policies, such as password length, complexity, and expiration. These policies are typically defined by the system administrator in configuration files.
Root Privileges: Changing another user's password requires root privileges. Only the root user or a user with sudo privileges can use passwd to modify passwords for other user accounts.

The following table details some of the command options available to the passwd command:

Option	Description
`-l, --lock`	Locks the user account by adding "!" to the encrypted password in `/etc/shadow`.
`-u, --unlock`	Unlocks a previously locked user account by removing "!" from the encrypted password.
`-e, --expire`	Forces the user to change password at next login, setting password expiration to current date.
`-d, --delete`	Deletes the user's password, disabling the account for password login.

The following exercises get you working with the passwd command to change/set passwords:

Change your own password:

To change your own password, run:

passwd

You will be prompted to enter your current password.

Enter your new password.

Retype the new password when prompted to confirm it.

If the password change is successful, you will see a confirmation message:

passwd: all authentication tokens updated successfully.

Change another user's password:

To change another user's password:

sudo passwd root

You will be prompted to enter your password as sudo is in use.

Enter the new password for root.

Retype the new password when prompted to confirm it.

If the password change is successful, you will see a confirmation message:

passwd: all authentication tokens updated successfully.

Adjusting Password Aging For Local Accounts

The chage command is used to change the password aging and expiration settings for user accounts in Linux. It provides the following functionalities:

Password Aging: chage allows you to set password aging policies for user accounts. This includes options like password expiration, password aging period, and warning period before password expiration.
Account Expiration: chage also enables you to set an expiration date for user accounts. This allows system administrators to enforce regular account reviews and ensure that inactive or unnecessary accounts are disabled or removed.
Password Change Date: With chage, you can view or modify the last password change date for a user account. This information can be useful for auditing and security purposes.

The chage command provides a range of options to manage user account aging and expiration. Here are some common options and their functionalities:

Option	Description
`-M, --maxdays <days>`	Sets maximum days for valid password; password expires after this period.
`-m, --mindays <days>`	Specifies minimum days before password can be changed, preventing frequent changes.
`-W, --warndays <days>`	Sets days before password expiration for user warning, allowing preparation for password change.
`-E, --expiredate <date>`	Sets explicit account expiration date; account is disabled after this date.
`-d, --lastday <date>`	Sets user account's last active day; account will be disabled after this date.
`-I, --inactive <days>`	Specifies days of inactivity after password expiration before account is disabled.
`-R, --root <directory>`	Changes root directory for chroot() call; used with chroot environments to modify accounts in separate directory.
`-l, --list`	Displays current password aging information for a user account.

The following exercises get you working with the chage command to adjust ageing settings:

Create a user to practice with:

Create a user:

sudo useradd chage_user

Use chage to determine what the current aging details are for the account:

sudo chage -l chage_user

The output should look like:

Last password change                                : Aug 23, 2023
Password expires                                    : never
Password inactive                                   : never
Account expires                                     : never
Minimum number of days between password change      : 0
Maximum number of days between password change      : 99999
Number of days of warning before password expires   : 7

Set maximum password age for user:

sudo chage -M 90 chage_user

This command sets the maximum password age to 90 days. After 90 days, the user will be prompted to change their password.

Verify the change occurred:

sudo chage -l chage_user

The output should look like:

Last password change                                : Aug 23, 2023
Password expires                                    : Nov 21, 2023
Password inactive                                   : never
Account expires                                     : never
Minimum number of days between password change      : 0
Maximum number of days between password change      : 90
Number of days of warning before password expires   : 7

Set minimum password age for user:

sudo chage -m 7 chage_user

This command specifies that the user must keep their password for at least 7 days before they can change it. This prevents frequent password changes.

Verify the change occurred:

sudo chage -l chage_user

The output should look like:

Last password change                                : Aug 23, 2023
Password expires                                    : Nov 21, 2023
Password inactive                                   : never
Account expires                                     : never
Minimum number of days between password change      : 7
Maximum number of days between password change      : 90
Number of days of warning before password expires   : 7

Set password expiration warning for user:

sudo chage -W 10 chage_user

With this command, the user will receive a warning message 10 days before their password expires. This gives them time to prepare for a password change.

Verify the change occurred:

sudo chage -l chage_user

The output should look like:

Last password change                                : Aug 23, 2023
Password expires                                    : Nov 21, 2023
Password inactive                                   : never
Account expires                                     : never
Minimum number of days between password change      : 7
Maximum number of days between password change      : 90
Number of days of warning before password expires   : 10

Set explicit account expiration date:

sudo chage -E 2024-12-31 chage_user

This command sets the account expiration date for the user to 31st December 2024. After this date, the account will be disabled, and the user will no longer be able to log in.

Verify the change occurred:

sudo chage -l chage_user

The output should look like:

Last password change                                : Aug 23, 2023
Password expires                                    : Nov 21, 2023
Password inactive                                   : never
Account expires                                     : Dec 31, 2024
Minimum number of days between password change      : 7
Maximum number of days between password change      : 90
Number of days of warning before password expires   : 10

Support DTV Linux

Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.

NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.