Detailed explanation of user password management commands passwd and change in Linux

Time:2020-5-22

passwd

Change user password
parameter

– K keep unexpired authentication token
– L close account password. The effect is equivalent to usermod – L, which only root can use.
– U restore account password. The effect is equivalent to usermod-u, and only root is authorized to use it.
– G change the group password. Equivalent command for gpasswd.
– f changes the user information accessed by the finger command.
– d turn off the password authentication function of the user. The user will not need to enter the password when logging in. Only the user with root permission can use it
– s displays the password authentication type of the specified user. Only users with root permission can use it

Passwd is a text file, which contains a list of system accounts, giving some useful information about each account, such as user ID, group ID, home directory, shell, etc. generally, it also contains each user’s encrypted password. It should be readable (many commands, tools, such as LS (1) use it to map user ID to user name), However, only super users are allowed to have write permission

In the past good days, this kind of general read permission has no big problem. Everyone can read the encrypted password, because the hardware is too slow to unlock a selected password. In addition, it is basically assumed that it is used by friendly user groups. Now, many people run some versions of shadow cipher suites, which are in the password domain of / etc / passwd *The encrypted password is placed in / etc / shadow, which can only be read by super users
Whether or not a shadow password is used, many system administrators use an asterisk in the encrypted password field to ensure that the user cannot identify his or her own password (see note below)
If you create a new login, first place an asterisk in the password field, then use passwd (1) to set it up
(password file) and each line has the following format:

account
password:UID : GID:GECOS : directory:shell (account: Password: user ID: group ID: general information: Directory: shell)

The fields are described as follows:

account
User’s name in the system. It cannot contain uppercase letters
password
Encrypted user password, or asterisk.
UID
Number of user IDs.
GID
The number of primary group IDs for the user.
GECOS
This field is optional and is usually set for storing information. Generally, it contains the full name of the user. Gecos means General Electric comprehensive operating system, When part of GE’s large-scale system was sold to Honeywell, it was changed to GCOS. Dennis Ritchie reported: “sometimes when we send printing or batch jobs to GCOS machine, GCOS field interrupts the information of $ident card, which is not beautiful. I think it’s too long
directory
User’s $home directory
shell
The program (if it is empty, use / bin / SH). If it is set as the execution (program) that does not exist, the user cannot log in through login (1)

be careful
If you want to create a user group, their GID must be equal and must be a record in / etc / group, otherwise the group does not exist
If the encryption password is set to an asterisk, the user will not be able to log in with login (1), but can still log in with rlogin (1), run the existing process and start a new one through RSH (1), cron (1), at (1), mail filter and other programs
The result of locking a user in the field is the same, and the permission to use Su (1) is attached

For example:

Copy code

The code is as follows:

[ [email protected] ~]Passwd ABCD change password to

chage
Password invalidation is managed by this command.

Parameter meaning:
– M minimum number of days the password can be changed. A value of zero means that the password can be changed at any time.
The maximum number of days that the – M password remains valid.
– w the number of days before the user password expires to receive the warning message in advance.
– e date the account expires. After this day, this account will not be available.
– D date of last change
– I stagnant period. If a password has expired for these days, this account will not be available.
– L example the current settings. Nonprivileged users determine when their passwords or accounts expire.

Example 1:

Copy code

The code is as follows:

[ [email protected] ~]#ABCD view user password settings

Last password change time: April 27, 2013
Password expiration time: never
Password expiration time: never
Account expires: never
Minimum number of days between password changes: – 1
Maximum number of days between password changes: – 1
Number of days to warn before password expires: – 1

Copy code

The code is as follows:

[ [email protected] ~]#Chage – M 90 Zhangy – password valid for 90 days
Copy code

The code is as follows:

[ [email protected] ~]#ABCD force user to change password when logging in
Copy code

The code is as follows:

[ [email protected] ~]#Chage – d 0 – M 0 – M 90 – W 15 Zhangy ා force the user to modify the password at the next login, and set the minimum validity period of the password 0 and the maximum validity period 90, and send an alarm 15 days in advance

Example 2:

Copy code

The code is as follows:

#Chage-e ‘2014-09-30’ test ා the validity of this account is 2014-09-30