I recently wrote a guide about the /etc/passwd and the /etc/shadow the etc/shadow file contains the encrypted password and other information about users password such as "the last password change", "Minimum password age" and others.
Practically, you can edit the user password settings in the /etc/shadow file, but this is not recommended as there are better ways to change this, which I would cover in this guide.
In this guide, we would look at the proper way of managing passwords and implementing our password policies.
There are several ways to view a user password information, the chage command gives us the ability to of viewing a user password information such as:
- Last password change, the last time a user changes their password
- Password Expires
- Password Inactive
- Account expires - the number of d
- The minimum password age (which shows the number of days before a user can change their password again)
- The Maximum password age (which displays the maximum day a user can use a password)
- Warning Before Password Expires (This is the days in advance to display password expire message)
To view a user password info, use the command:
sudo chage -l <user>
and this would display the password info as follows:
You can see it displays the values of the password info, and if you have gone through my guide on /etc/shadow, then you should be aware that the info display above is also stored in the shadow file, but this is much easier to read.
If you would like to alter the password information, then we would also use the chage command, so, let's see some possible scenarios.
Force User To Change Their Password When They First Login In Linux
The best practice is to allow users to change their passwords when they first log in, the chage command allows you to force a password change when they first log in.
To achieve this, you set the number of days to expiry to 0:
sudo chage -d 0 <user>
where the user would be replaced with your preferred username.
To confirm if the changes worked, you can confirm with the chage -l command which should be executed against the user account you modified.
I have forced the user "thisisme" to change his password whenever he logs in for the first time, so I'll confirm the user password information with:
sudo chage -l thisisme
Which then displays:
Anytime the user "thisisme" tries to log in, he would be required to change his password, but before he can do that, he would first confirm his current password and then he would be prompted to enter a new one.
An example of when I was trying to switch to user "thisisme"
You can see when I was trying to switch to the user, the system replied with "You are required to change your password immediately".
I hope you got that, it is super simple.
Let's see some other use cases.
Require a Password Change After a Certain Period In Linux/Ubuntu
To require a password change after a period of time, you use the following command:
sudo chage -M 60 <user>
The above command or the Maximum password age allows days between password changes.
This means the maximum day a user can use a password, I required a password change in 60 days, so whenever the impending date reaches 7 days before the password changes, the user will see a warning message when they log in, which why you see the "Number of days of warning before password expires: 7"
You can also change the number of days warning before password expires, using:
sudo chage -w 5 <user>
Change The Minimum Password Age In Linux/Ubuntu
Users are tricky and it is often recommended to set a minimum days before a user can change his or her password, this way, users won't be able to cheat password requirements by changing their password multiple times or what it was originally was after satisfying the initial password change.
You can set the minimum number of days with a lower case -m, not to be confused with the uppercase -M as this is for the maximum number, change the minimum days with the following command:
sudo chage -m 4 <user>
You can see the minimum number of days between password change has been set to 4.
You shouldn't make the minimum number of days too long as that would be inconvenient for the user, sometimes, a user might feel the need to change his or her password for different reasons (e.g account compromised).
Also, if a user wants to change the password before the minimum days, you can discuss the reason the user is changing the password and you can always to change it for them
Securing Users Passwords With Password Policy In Linux/Ubuntu
You see, one thing system admins get wrong is not setting password policies, even if you forced your users to change their passwords after a given days, it does little to no good if they change it to something simple, for example, "123456789", "Phone Number" "Abcdef", etc.
A password policy helps in enforcing strong password requirements e.g you can set a minimum length of password a user can use or even set alphanumeric as a requirement, and so on.
Before we get into the nitty-gritty of enforcing password requirements, you need to install the PA Module which is also known as the Pluggable Authentication Module (PAM):
sudo apt install libpam-cracklib
Once it is done installing, you can open the common-password file using:
sudo nano /etc/pam.d/common-password
Let's see some possible scenarios:
Prevent User From Reusing Last Several Password In Unix
To prevent a user from reusing their previous passwords, you can add the following lines to the /etc/pam.d/common-password:
You can add the above code below the line that has:
password required pam_pwhistory.so remember=100
I am using remember=100 which will cause the system to remember the last 100 passwords for each user and prevent them from reusing those passwords again (cool right).
If you combine this with the minimum number of days before a user can change a password (for example, I change it to 4), then, it would take [you guessed it right ;)] the user 400 days to cycle back to their last used password, and this is if the user changes his or her password every 4 days, 100 times.
By doing this, it is almost impossible for a user to utilize their old passwords.
After installing the PA module, I tried changing a users password to
"123456789", it gave me the following output:
Cool right! The obscure in the common-password is the one preventing simple passwords.
I hope you enjoyed the guide, goodbye and I will see you some other time.