Basic use of passwd command in Linux system
1. Introduction to passwd command
1.1 Introduction to passwd command
The passwd command is used to change user passwords. By using the passwd command, users can change their own passwords, and administrators can change other users' passwords (administrator privileges required). By default, only the root user has the permission to change the passwords of other users.
1.2 Origin of passwd command
The passwd command originated from Unix/Linux systems and is a command used to change user passwords. It is designed to ensure the security of the system and ensure that only authorized users can change their own passwords or the passwords of other users. The passwd command is a tool installed by default in Unix systems. With the development of Linux, it has become one of the indispensable commands in Linux systems. In Linux systems, the passwd command can not only be used to change user passwords, but can also be used to manage other user security settings, such as locking user accounts, forcing users to change passwords, etc.
2. Help on using the passwd command
2.1 help information of passwd command
Use help to query the help information of the passwd command
[root@jeven ~]# passwd --help
Usage: passwd [OPTION...] <accountName>
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only)
-l, --lock lock the password for the named account (root only)
-u, --unlock unlock the password for the named account (root only)
-e, --expire expire the password for the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minimum password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration (root only)
-i, --inactive=DAYS number of days after password expiration when an account becomes disabled (root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)
Help options:
-?, --help Show this help message
--usage Display brief usage message
2.2 Syntax explanation of passwd command
Syntax explanation of passwd command
- grammar
passwd(选项)(参数)
- Options
-d:删除密码,仅有系统管理者才能使用;
-f:强制执行;
-k:设置只有在密码过期失效后,方能更新;
-l:锁住密码;
-u:解开已上锁的帐号;
-S:查询用户账号的密码状态,包括密码是否过期、是否被锁定等;
-e:强制要求用户在下次登录时修改密码。
- parameter
用户名:需要设置密码的用户名。
3. View passwd related files
3.1 View user-related files
View user related files
- The location of user related files
/etc/passwd
/etc/shadow
[root@jeven ~]# cat /etc/passwd |head
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
[root@jeven ~]# cat /etc/shadow |head
root:$6$HUNcB21gvHcKRS2p$xaKt.2kCyjDp7bUW5vbR0ZlxB0.DEOiqPPTofGHCVNOqVWqCE8jxcy0M5H4lSvhsACSMkfV0iY0Y7sLRIIFrg1::0:99999:7:::
bin:*:17834:0:99999:7:::
daemon:*:17834:0:99999:7:::
adm:*:17834:0:99999:7:::
lp:*:17834:0:99999:7:::
sync:*:17834:0:99999:7:::
shutdown:*:17834:0:99999:7:::
halt:*:17834:0:99999:7:::
mail:*:17834:0:99999:7:::
operator:*:17834:0:99999:7:::
- passwd file analysis
例如:adm:x:3:4:adm:/var/adm:/sbin/nologin
adm # 用户名
x # 口令、密码
3 # 用户id(0代表root、普通新建用户从500开始)
4 # 所在组id
: # 描述
/var/adm # 用户主目录
/sbin/nologin # 用户缺省Shell
- shadow file analysis
例如:zhangsan:!!:19649:0:99999:7:::
zhangsan # 用户账号的名称
!! #用户密码通过加密算法后得到的哈希值。如密码未设置则显示!!
19649 # 最近一次修改密码的时间,表示从1970.01.01至今的天数
0 # 密码的最短使用天数,默认值为0,没有要求
99999 # 密码最长使用的有效期天数
7 # 密码到期提醒天数,默认值为7
* # 账户多长时间不活动自动锁定
* # 账户被禁用的时间
3.2 View group related files
View group related files
- The location of group related files
/etc/group
/etc/gshadow
[root@jeven ~]# cat /etc/group |head
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
[root@jeven ~]# cat /etc/gshadow |head
root:::
bin:::
daemon:::
sys:::
adm:::
tty:::
disk:::
lp:::
mem:::
kmem:::
4. Basic use of passwd command
4.1 Set user password
For example, when creating a new user zhangsan, you need to set a password for zhangsan. Under root authority, you can set the password directly and ignore the password policy to force the password to be set; under ordinary users, you can only set a password for yourself.
- Under root user privileges
[root@jeven ~]# passwd zhangsan
Changing password for user zhangsan.
New password:
BAD PASSWORD: The password contains the user name in some form
Retype new password:
passwd: all authentication tokens updated successfully.
- Under ordinary users, you can only set a password for yourself.
命令行方式 : passwd
再输入当前密码:
再输入新密码:
- Under ordinary users, if no password is set for other users, the following information will be prompted.
[zhangsan@jeven ~]$ passwd admin
passwd: Only root can specify a user name.
4.2 Users are prohibited from changing passwords
Under the root user, we can prohibit a user from changing the password and use the -l option to lock the password.
- Locked user zhangsan cannot change password
[root@jeven ~]# passwd -l zhangsan
Locking password for user zhangsan.
passwd: Success
- Switching to zhangsan user and changing the password will fail.
[zhangsan@jeven ~]$ passwd
Changing password for user zhangsan.
Changing password for zhangsan.
(current) UNIX password:
passwd: Authentication token manipulation error
4.3 Unlock password-locked accounts
Use the -u option to unlock a password-locked account
[root@jeven ~]# passwd -u zhangsan
Unlocking password for user zhangsan.
passwd: Success
4.4 Query account and password information
Use the -S option to query account and password information
[root@jeven ~]# passwd -S zhangsan
zhangsan PS 2023-10-19 0 99999 7 -1 (Password set, SHA512 crypt.)
4.5 Clear user password
Use the -d option to clear the password of user zhangsan.
[root@jeven ~]# passwd -d zhangsan
Removing password for user zhangsan.
passwd: Success
Query and verify the zhangsan user status. The password is empty.
[root@jeven ~]# passwd -S zhangsan
zhangsan NP 2023-10-19 0 99999 7 -1 (Empty password.)
4.6 Change password expiration time
The expiration time of the zhangsan user can be set by adding the three options -x (maximum number of days), -n (minimum number of days) and -w (number of days in advance warning).
passwd -x 30 zhangsan
passwd -n 6 zhangsan
passwd -w 7 zhangsan
5. Precautions for using the passwd command
-
Only the super user (root user) can change the passwords of other users.
-
Passwords should be of sufficient strength and complexity to protect the security of user accounts, such as password length, letter case, symbol mix, etc.
-
When changing your password, you should use one that is strong enough and avoid information that is easy to guess, such as your birthday or common dictionary words.
-
When changing your password, you should avoid using the same password that you used previously.
-
Make sure that after you change your password, you do not write it down in plain text, such as on a note or on your computer desktop.
-
When using the passwd command, make sure you have sufficient permissions, otherwise you will not be able to change the password.
-
If there are multiple users in the system, administrators should encourage users to change their passwords regularly to ensure system security. It is recommended to change passwords every 3-6 months.