In this tutorial, we will learn how to use the passwd command available in Linux. This command is used to change a user’s password in linux, but we will see that it also allows you to perform other actions. It is an essential command and integrated into the different Linux distributions: Debian, Ubuntu, Kali Linux, Rocky Linux, Mint, etc.
When you use the passwd command, you act directly on the file “/etc/shadow” because this file contains the hash of the password of the various users of the system. The root superuser can change the password of all accounts, while a standard user can only change their own password. If a user has elevated privileges via “sudo”, he will also be able to act on other accounts.
Beyond allowing a password to be changed, the command passwd is used to remove a password, set an expiration date for a password, etc.
Initial version of the article: July 12, 2022
II. Change a password in Linux
First of all, you should know that by executing the passwd command in your own session, without specifying any argument, user name, etc… You can change the password of your own user account. If I am logged in with the “flo” account and run the command below, I am prompted to change my password.
Then, to change the password for a specific user, use this syntax:
For example, if I want to change the password for user “it-connect“, it will be enough for me to specify its name. It will be advisable to specify “sudo” as a prefix depending on the account you use, or to switch to the root account with “are –“the time of the operation.
sudo passwd it-connect
When this command is executed, you must enter the new password once, then a second time. The password entered does not appear on the screen.
We can take advantage of this to obtain the status of a user account with the option “-S“, like this :
sudo passwd -S it-connect
This is information that can be obtained from the file “/etc/shadow“. In this example, the command returns:
it-connect P 09/16/2022 0 99999 7 -1
Which means :
- it-connect : the name of the user
- L : the status of the password, namely “P” if the password is valid and usable, “L” if the user account is locked, and “NP” if the account does not have a password
- 09/16/2022 : the date of the last modification of the password
- 0 : the minimum age of the password, which means that it can be changed immediately
- 99999 : the maximum age of the password (might as well tell you that the user can keep it for a very long time)
- 7 : number of days for the warning period, when password expiration is approaching, before the account is locked
- -1 : Number of days after a password expires, before the account is locked.
III. Forcer le changement du mot de passe sous Linux
Il est possible d'indiquer qu'un mot de passe est expiré, ce qui signifie que l'utilisateur concerné devra en définir un nouveau lors de la prochaine ouverture de session. Par défaut, le mot de passe n'expire jamais pour les utilisateurs sous Linux.
Pour réaliser cette action, l'option "-e" ou "--expire" doit être utilisée, selon la syntaxe suivante :
For example, if we define the password of the user "it-connect" as expired thanks to the command:
sudo passwd -e it-connect passwd: password expiry information changed.
At the next connection with this user, it will be mandatory to change the password. Moreover, it will be specified that it is following a decision of the administrator.
Vous devez changer votre mot de passe immédiatement (imposé par l’administrateur). Changement du mot de passe pour it-connect.
IV. Linux user minimum password age
With the passwd command, you can define a minimum number of days before the user can change his password. In other words, we impose a minimum age for the password of this user. This is the option "-n" of the passwd command that must be used. Here is the syntax to follow:
For example, one can impose on the user "it-connect" to keep their password for at least 31 days:
sudo passwd it-connect -n 31
V. Maximum age of a Linux user's password
In the same spirit, one can specify the maximum age of a password in order to be sure that the user renews it according to the password policy of the company. This time, the "-x" option will be used. Here is the syntax to follow:
For example, the "it-connect" user can be forced to change their password once a year (365 days):
sudo passwd it-connect -x 365
Each time, if you rerun the command with the "-S" option, you can verify that the modification has been taken into account.
Thanks to this tutorial and the various examples, you are able to use the passwd command in linux. Most of the time, this command is used to change a user's password, but it's nice to know that it's capable of performing other important account management actions.
Commandes et Système,Bash,CLI,Linux,Shell,
#passwd #command #Linux