Password Management in Unix and Linux
In a Nutshell - CIW Course Section 3, Part A2, Chapter 9
Password File
The basic user database in a Unix system is the text file /etc/passwd. It lists all valid usernames and their associated information,
The password file allows processes to convert User Identification (UID) numbers to user names and vice-versa. The password file does not hold the encrypted password data.
The information held in the password file is in a colon delimited format and contains the username, UID, GID, Full Name, Home Directory and the logon shell path/filename.
| jsmith:x:123:999:SmithJohn:/home/jsmith:/bin/bash |
The "x" in the second position is where the encrypted password used to be stored before it was moved into the more secure /etc/shadow file which is readable only by root. The /etc/passwd file is readable by all but writeable only by root.
Account Policies
Linux allows account policies to control changing of passwords, password aging and password checking.
The passwd command is the main utility for changing and checking passwords. The root user can use this to change any user password and the user can use it to change their own password. This utility, in conjuction with the PAM (Pluggable Authentication Module), will also enforce the use of strong passwords.
Password Aging
Password aging is administered with the chage command, which sets aging parameters and stores the information in the /etc/shadow file. The /etc/shadow file holds colon delimited information as shown below:
| name:password:when_changed:min:max:warn:inactive:expires: |
A full description of these fields and the chage option to update them is shown in the table below:
| name | The user's username | |
| password | contains the encrypted password | |
| when_changed | -d number | Sets the date when the password was last changed |
| min | -m number | The minimum number of days allowed between password changes |
| max | -M number | The maximum number of days allowed between password changes |
| warn | -W number | the number of days before the user is warned of required password changes |
| inactive | indicates the number of days beyond the password expiration date that the account will be disabled | |
| expires | -E number | the date the account will be disabled |
| -l | displays the information from the database |