3.4.3. Updating Users' Authentication
When running the basic
useradd username
command, the password is automatically set to never expire (see the /etc/shadow
file).
If you want to change this, use
passwd
, the standard utility for administering the /etc/passwd
file. The syntax of the passwd
command look as follows:
passwd option(s) username
You can, for example, lock the specified account. The locking is performed by rendering the encrypted password into an invalid string by prefixing the encrypted string with an the exclamation mark (
!
). If you later find a reason to unlock the account, passwd
has a reverse operation for locking. Only root
can carry out these two operations.
passwd -l username
passwd -u username
Example 3.8. Unlocking a User Password
~]# passwd -l robert Locking password for user robert. passwd: Success ~]# passwd -u robert passwd: Warning: unlocked password would be empty passwd: Unsafe operation (use -f to force)
At first, the
-l
option locks robert
's account password successfully. However, running the passwd -u
command does not unlock the password because by default passwd
refuses to create a passwordless account.
If you want a password for an account to expire, run
passwd
with the -e
option. The user will be forced to change the password during the next login attempt:
passwd -e username
As far as the password lifetime is concerned, setting the minimum time between password changes is useful for forcing the user to really change the password. The system administrator can set the minimum (the
-n
option) and the maximum (the -x
option) lifetimes. To inform the user about their password expiration, use the -w
option. All these options must be accompanied with the number of days and can be run as root
only.
Example 3.9. Adjusting Aging Data for User Passwords
~]# passwd -n 10 -x 60 -w 3 jane
The above command has set the minimum password lifetime to 10 days, the maximum password lifetime to 60, and the number of days
jane
will begin receiving warnings in advance that her password will expire to 3 day.
Later, when you cannot remember the password setting, make use of the
-S
option which outputs a short information for you to know the status of the password for a given account:
~]# passwd -S jane jane LK 2014-07-22 10 60 3 -1 (Password locked.)
You can also set the number of days after a password expires with the
useradd
command, which disables the account permanently. A value of 0
disables the account as soon as the password has expired, and a value of -1
disables the feature, that is, the user will have to change his password when the password expires. The -f
option is used to specify the number of days after a password expires until the account is disabled (but may be unblocked by system administrator):
useradd -f
number-of-days username
For more information on the
passwd
command see the passwd
(1) man page.