Password Management

Passwd

change user password

Syntax

passwd [options] [username]

Example

To change the password for the current user, simply run:

passwd

You will be prompted to enter and confirm the new password.

If changing the password for another user, use:

sudo passwd username

Replace username with the actual username.

Pwquality.conf

The pwquality.conf file in Red Hat Enterprise Linux (RHEL) is used to configure password quality requirements. It is part of the Pluggable Authentication Modules (PAM) system and is often used to enforce password complexity rules. As a sysadmin, you can use this file to enhance the security of user passwords.

1. Enforcing Minimum Password Length

   Let's say you want to ensure that all users have passwords with a minimum length of 10 characters.

   1. Edit the pwquality.conf file:

       sudo nano /etc/security/pwquality.conf
      

   2. Add the following line:

       minlen = 10
      

   3. Save the file.

   Now, users attempting to change their password or set a new one will be required to use a password with a minimum length of 10 characters.

2. Enforcing Password Complexity

   You want to enhance password security by requiring users to include characters from different character classes (upper-case, lower-case, numeric, and special characters).

   1. Edit the pwquality.conf file:

       sudo nano /etc/security/pwquality.conf
      

   2. Add the following lines:

       minclass = 4
       minclassrepeat = 3
      

   3. Save the file.

   Now, when users change or set their password, they will be prompted to include characters from at least four different character classes, with no more than three characters from the same class in a row.

3. Denying Simple or Common Passwords

   To prevent users from using simple or common passwords, you can use the minclass and minclassrepeat parameters along with dictionaries.

   1. Install a password dictionary package (e.g., cracklib-dicts):

      

       sudo yum install cracklib-dicts
      

   2. Edit the pwquality.conf file:

       sudo nano /etc/security/pwquality.conf
      

   3. Add the following lines:

       minclass = 4
       minclassrepeat = 3
       dictcheck = 1
      

   4. Save the file.

   With these settings, users attempting to change their password will be denied if their new password is found in the dictionary.

   Note:

   Always test changes in a safe environment before applying them to a production system. Additionally, consult the pwquality.conf man page (man pwquality.conf) for a comprehensive list of configuration options and details.

Encryption [/etc/shadow]

user passwords are stored in the /etc/shadow file. The /etc/shadow file contains encrypted password information, among other user-related data. When a user account does not have a password set, you might observe two exclamation marks ("!!") in the password field in the /etc/shadow file.

Crypt function

passwd command to reset a password, it utilizes cryptographic functions to securely store the password. The hashing function, typically the crypt function, is used to encrypt the password and store it in the /etc/shadow file.

using openssl and salt combination to generate encrypted key passwd

https://man7.org/linux/man-pages/man3/crypt.3.html

Note:- if we want to create user with default max/min/age of password we can define in below file

Chage

The chage command in Linux is used to modify user password aging information, which is stored in the /etc/shadow file. It allows a system administrator to set and change the aging policy for user accounts.

1. View Current Password Aging Information:

chage -l username

This command displays the current password aging information for a specific user (username). It includes details such as the last password change date, password expiration date, and other aging-related settings.

2. Set Maximum Password Age:

sudo chage -M 90 username

This example sets the maximum number of days a password is valid for the user username to 90. After 90 days, the user will be prompted to change their password.

3. Set Password Expiry Date:

sudo chage -E 2024-12-31 username

This command sets the password expiration date for the user username to December 31, 2024. After this date, the user will be required to change their password during the next login.

4. Set Password Inactivity Period:

sudo chage -I 14 username

This example sets the number of days of inactivity allowed for the user username to 14. If the user does not log in within this period, their password will expire.

5. Disable Password Aging:

sudo chage -m 0 -M 99999 -I -1 -E -1 username

This command disables all aging-related features for the user username. It sets the minimum and maximum password ages to 0 and 99999, respectively, and disables inactivity and expiration.

6. Set Warning Period:

sudo chage -W 7 username

This example sets the number of days before password expiration that the user username will start receiving warning messages. In this case, warnings will be displayed 7 days before password expiration.Note:

Note

• The -M flag sets the maximum number of days between password changes.

• The -E flag sets the date on which the password will expire.

• The -I flag sets the number of days of inactivity allowed before the account is locked.

• The -m flag sets the minimum number of days between password changes.

• The -W flag sets the number of days of warning before password expiration.

visudo ----> /etc/sudoers
vipw ----> /etc/passwd
vigr ----> /etc/group