Basic use of passwd command in Linux system

1. Introduction to passwd command

1.1 Introduction to passwd command

The passwd command is used to change user passwords. By using the passwd command, users can change their own passwords, and administrators can change other users' passwords (administrator privileges required). By default, only the root user has the permission to change the passwords of other users.

1.2 Origin of passwd command

The passwd command originated from Unix/Linux systems and is a command used to change user passwords. It is designed to ensure the security of the system and ensure that only authorized users can change their own passwords or the passwords of other users. The passwd command is a tool installed by default in Unix systems. With the development of Linux, it has become one of the indispensable commands in Linux systems. In Linux systems, the passwd command can not only be used to change user passwords, but can also be used to manage other user security settings, such as locking user accounts, forcing users to change passwords, etc.

2. Help on using the passwd command

2.1 help information of passwd command

Use help to query the help information of the passwd command

[root@jeven ~]# passwd --help
Usage: passwd [OPTION...] <accountName>
  -k, --keep-tokens       keep non-expired authentication tokens
  -d, --delete            delete the password for the named account (root only)
  -l, --lock              lock the password for the named account (root only)
  -u, --unlock            unlock the password for the named account (root only)
  -e, --expire            expire the password for the named account (root only)
  -f, --force             force operation
  -x, --maximum=DAYS      maximum password lifetime (root only)
  -n, --minimum=DAYS      minimum password lifetime (root only)
  -w, --warning=DAYS      number of days warning users receives before password expiration (root only)
  -i, --inactive=DAYS     number of days after password expiration when an account becomes disabled (root only)
  -S, --status            report password status on the named account (root only)
  --stdin                 read new tokens from stdin (root only)

Help options:
  -?, --help              Show this help message
  --usage                 Display brief usage message

2.2 Syntax explanation of passwd command

Syntax explanation of passwd command

• grammar

passwd(选项)(参数)

• Options

-d：删除密码，仅有系统管理者才能使用；
-f：强制执行；
-k：设置只有在密码过期失效后，方能更新；
-l：锁住密码；
-u：解开已上锁的帐号；
-S：查询用户账号的密码状态，包括密码是否过期、是否被锁定等；
-e：强制要求用户在下次登录时修改密码。

• parameter

用户名：需要设置密码的用户名。

3. View passwd related files

3.1 View user-related files

View user related files

• The location of user related files

/etc/passwd
/etc/shadow

[root@jeven ~]# cat /etc/passwd |head
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
[root@jeven ~]# cat /etc/shadow |head
root:$6$HUNcB21gvHcKRS2p$xaKt.2kCyjDp7bUW5vbR0ZlxB0.DEOiqPPTofGHCVNOqVWqCE8jxcy0M5H4lSvhsACSMkfV0iY0Y7sLRIIFrg1::0:99999:7:::
bin:*:17834:0:99999:7:::
daemon:*:17834:0:99999:7:::
adm:*:17834:0:99999:7:::
lp:*:17834:0:99999:7:::
sync:*:17834:0:99999:7:::
shutdown:*:17834:0:99999:7:::
halt:*:17834:0:99999:7:::
mail:*:17834:0:99999:7:::
operator:*:17834:0:99999:7:::

• passwd file analysis

例如：adm:x:3:4:adm:/var/adm:/sbin/nologin
adm　　# 用户名
x　　# 口令、密码
3　　# 用户id（0代表root、普通新建用户从500开始）
4　　# 所在组id
:　　# 描述
/var/adm　　# 用户主目录
/sbin/nologin　　# 用户缺省Shell

• shadow file analysis

例如：zhangsan:!!:19649:0:99999:7:::
zhangsan　　# 用户账号的名称
!!　　#用户密码通过加密算法后得到的哈希值。如密码未设置则显示!!
19649　　# 最近一次修改密码的时间，表示从1970.01.01至今的天数
0　　# 密码的最短使用天数，默认值为0,没有要求
99999　　# 密码最长使用的有效期天数
7　　# 密码到期提醒天数，默认值为7
*　　# 账户多长时间不活动自动锁定
*　　# 账户被禁用的时间

3.2 View group related files

View group related files

• The location of group related files

/etc/group
/etc/gshadow

[root@jeven ~]# cat /etc/group |head
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
[root@jeven ~]# cat /etc/gshadow |head
root:::
bin:::
daemon:::
sys:::
adm:::
tty:::
disk:::
lp:::
mem:::
kmem:::

4. Basic use of passwd command

4.1 Set user password

For example, when creating a new user zhangsan, you need to set a password for zhangsan. Under root authority, you can set the password directly and ignore the password policy to force the password to be set; under ordinary users, you can only set a password for yourself.

• Under root user privileges

[root@jeven ~]# passwd zhangsan
Changing password for user zhangsan.
New password:
BAD PASSWORD: The password contains the user name in some form
Retype new password:
passwd: all authentication tokens updated successfully.

• Under ordinary users, you can only set a password for yourself.

命令行方式 : passwd
再输入当前密码:
再输入新密码:

• Under ordinary users, if no password is set for other users, the following information will be prompted.

[zhangsan@jeven ~]$ passwd admin
passwd: Only root can specify a user name.

4.2 Users are prohibited from changing passwords

Under the root user, we can prohibit a user from changing the password and use the -l option to lock the password.

• Locked user zhangsan cannot change password

[root@jeven ~]# passwd  -l zhangsan
Locking password for user zhangsan.
passwd: Success

• Switching to zhangsan user and changing the password will fail.

[zhangsan@jeven ~]$ passwd
Changing password for user zhangsan.
Changing password for zhangsan.
(current) UNIX password:
passwd: Authentication token manipulation error

4.3 Unlock password-locked accounts

Use the -u option to unlock a password-locked account

[root@jeven ~]# passwd -u zhangsan
Unlocking password for user zhangsan.
passwd: Success

4.4 Query account and password information

Use the -S option to query account and password information

[root@jeven ~]# passwd -S zhangsan
zhangsan PS 2023-10-19 0 99999 7 -1 (Password set, SHA512 crypt.)

4.5 Clear user password

Use the -d option to clear the password of user zhangsan.

[root@jeven ~]# passwd -d zhangsan
Removing password for user zhangsan.
passwd: Success

Query and verify the zhangsan user status. The password is empty.

[root@jeven ~]# passwd -S zhangsan
zhangsan NP 2023-10-19 0 99999 7 -1 (Empty password.)

4.6 Change password expiration time

The expiration time of the zhangsan user can be set by adding the three options -x (maximum number of days), -n (minimum number of days) and -w (number of days in advance warning).

passwd -x 30 zhangsan
passwd -n 6 zhangsan
passwd -w 7 zhangsan

5. Precautions for using the passwd command

• Only the super user (root user) can change the passwords of other users.

• Passwords should be of sufficient strength and complexity to protect the security of user accounts, such as password length, letter case, symbol mix, etc.

• When changing your password, you should use one that is strong enough and avoid information that is easy to guess, such as your birthday or common dictionary words.

• When changing your password, you should avoid using the same password that you used previously.

• Make sure that after you change your password, you do not write it down in plain text, such as on a note or on your computer desktop.

• When using the passwd command, make sure you have sufficient permissions, otherwise you will not be able to change the password.

• If there are multiple users in the system, administrators should encourage users to change their passwords regularly to ensure system security. It is recommended to change passwords every 3-6 months.