In this lesson, we will delve into managing passwords on a Linux/Unix system. This includes changing passwords, enforcing password policies, and understanding the formatting of the /etc/shadow file.

Changing Passwords

passwd (Change User Password) To change the password for a user, use the passwd command followed by the username. If you're the root user, you can change the password for any user. Otherwise, you can only change your own password.

passwd john_doe  # Changes the password for user john_doe

Understanding the /etc/shadow File

The /etc/shadow file stores encrypted passwords along with password aging information. Each line in the file corresponds to a user account and is formatted as follows:

username:password:lastchg:min:max:warn:inactive:expire:flag

Here is a description of each field shown above:

• username: The name of the user.
• password: The encrypted password of the user.
• lastchg: The number of days since Jan 1, 1970, that the password was last changed.
• min: The minimum number of days required between password changes.
• max: The maximum number of days the password is valid.
• warn: The number of days before password expiration that the user is warned.
• inactive: The number of days after password expiration that the account is disabled.
• expire: The number of days since Jan 1, 1970, that the account is disabled.
• flag: A reserved field for future use.

# Sample entry in /etc/shadow
john_doe:$6$TrnJ1O9s:18724:0:99999:7:::

Enforcing Password Policies

Managing Password Requirements through PAM Pluggable Authentication Modules (PAM) provides a flexible mechanism for authenticating users. Through PAM, you can enforce password policies such as password length, complexity, and expiration.

To get started, we can use a utility called libpam-pwquality. Install that with the command below:

sudo apt-get install libpam-pwquality

Next, open the pam_pwquality configuration file located at /etc/security/pwquality.conf with superuser privileges:

sudo vim /etc/security/pwquality.conf

Once you have the vim editor opened, use the search command / to search for minlength (type /minlength). Once you locate this field, press I and change the value to something like 12 characters:

minlen = 12

Repeat those steps to set the dcredit parameter to -1, which enforces the requirement of at least one digit in the password:

dcredit = -1

Save and close the configuration file with the VIM command below:

:wq

Now test the updated settings by attempting to change a user's password using the passwd command:

sudo passwd username

Replace "username" with the actual username. You should now see the new password complexity rules enforced when attempting to change the password.

In this lesson, we covered the following topics:

• passwd: Change user passwords.
• Understanding the formatting of the /etc/shadow file for managing user passwords.
• Enforcing password policies using PAM and the libpam-pwquality package.

See you in the next lesson!

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

Sign In Get Instant Access