Linux User Password
This chapter tells you about the local users password. You will learn here to change the password, set the password using different methods.
First method is by using passwd command.
Second method is with openssel passwd command.
Using passwd command
A user can set the password with the command passwd. Old password has to be typed twice before entering the new one.
Look at the above snapshot, shell warns the user from creating a simple password. Ultimately, after two or three attempts if password is not changed then the command passwd fails and you have to pass the command again.
Although, these rules are not applied on the root user neither they need to type the old password. They can change the password directly.
Look at the above snapshot, password is changed successfully without any warning.
Shadow files are the encrypted user passwords which are kept in /etc/shadow. This file is read-only directory and can be read only by root.
Look at the above snapshot, the /etc/shadow file contains nine columns separeted by colons.
Starting from left to right, these nine columns contain username, encrypted password, last changed password day, number of days password must be left unchanged, password expiry day, warning number of days before password expiry, number of days after expiry before disabling the account, and the day account was disabled. Last column has no meaning yet.
Encryption With passwd
Passwords are always stored in encrypted format. Encryption is done with crypt function. The simplest way to add a user with a password is to add the user with the command useradd -m and then set the user's password with command passwd.
Look at the above snapshot, user name akki is created with a password successfully.
Using openssl passwd
Encryption With openssl
To create a user with a password -p option is also used, but that requires an encrypted password.
Thid encrypted password can be generated with openssl passwd command.openssl passwd command can genereate several distinct hashes for the same pssword. To do this, it uses salt.
This salt can be chosen and is visible as the first two characters of the hash as shown below.
Look at the above snapshot, the first two characters start from the defined sale '32'.
To create a user with password using openssl command, following syntax is used.
Look at the above snapshot, user aaa is created and its password is kept into command history.
The /etc/login.defs file contains some default settings like password aging and length settings.,
The chage command can be used by a user to know the information about their password. The -l option is used to list the information.
Disabling A Password
Passwords in /etc/shadow are not saved starting with exclamation mark (!). If exclamation mark is present in starting then password can not be used.
This feature can be used to disable a password and the process is called locking, disabling and suspending a user account. It can be done in vi or with usermod command.
Here, we'll disable the password of akki with usermod command.
Look at the above snapshot, first command shows hashed password of akki, and command "usermod -L akki" disables the password of akki. Now user akki can't authenticate using this password.
Look at the above snapshot, hashed password is preceded with !, which means it is disabled.
Please note that root user will be able to open the akki account as password is not needed here. And if user akki wouldn't have set password, then akki can also login.
You can unlock your account with usermod -U.
Look at the above snapshot, hashed password of akki is unlocked now as there is no (!) mark in starting.