User Management In Ubuntu (4) password management

Source: Internet
Author: User
Tags lost password
Password is an important part of Linux security. Through this learning, you should learn how to create a password policy for your Linux system and where the password is stored, how to manage passwords for your users. Effective password policies are an important part of a good system management plan. This policy should include the following: the allowed password composition and the prohibited password composition change the password frequency to retrieve or reset the lost password the user's operation on the Password File is/etc/passwd, it is the database file of all users on the system. The form of each row is as follows:

Password is an important part of Linux security. Through this learning, you should learn how to create a password policy for your Linux system and where the password is stored, how to manage passwords for your users.

Effective password policies are an important part of a good system management plan. This policy must include the following:

Allowed password composition and prohibited password Composition
Password Change Frequency
Retrieve or reset the lost Password
User Password operations
The password file is/etc/passwd, which is the database file of all users on the system. The form of each row is as follows:

Username: password: uid: gid: gecos: homedir: shell

This section briefly introduces the gecos field. This field is used to record the diversity of users. For example, the user's full name, office location, office phone number, home phone number, and simple remarks. For the sake of security and privacy, this field is currently rarely used. However, the system administrator needs to know this field, because traditional Unix programs such as finger and mail will use this field. Therefore, the gecos field is usually finger information field. This field is in the comma-separated border format and can be changed using the chfn (change finger) command. If an asterisk is displayed in the password field, this user cannot log on to the Linux system. The system administrator can lock a user by modifying the password field or using the passwd-l command. Some system users usually have root permissions, so the system administrator does not want these users to log on to the Linux system, you can set the shell of these system users to sbin/nologin or bin/false to prevent these accounts from logging in.

The content format of the/etc/passwd file is as follows:

Www.linuxidc.com @ linuxidc :~ $ Cat/etc/passwd

Root: x: 0: 0: root:/bin/bash

Daemon: x: 1: 1: daemon:/usr/sbin:/bin/sh

Bin: x: 2: 2: bin:/bin/sh

Sys: x: 3: 3: sys:/dev:/bin/sh

Sync: x: 4: 65534: sync:/bin/sync

Games: x: 5: 60: games:/usr/games:/bin/sh

Man: x: 6: 12: man:/var/cache/man:/bin/sh

Lp: x: 7: 7: lp:/var/spool/lpd:/bin/sh

Mail: x: 8: 8: mail:/var/mail:/bin/sh

News: x: 9: 9: news:/var/spool/news:/bin/sh

Uucp: x: 10: 10: uucp:/var/spool/uucp:/bin/sh

Cindy: x: 1000: 1000: cindy,:/home/cindy:/bin/bash

......

We noticed that no user shows the password, but there is an x in the password field. This is because the user password is shadow passwords, which is a security enhancement mechanism in Linux. The real password is stored in the file/etc/shadow. The/etc/shadow file is only readable to the system administrator and PAM. Shadow password is automatically enabled in Ubuntu. The content format of the/etc/shadow file is as follows:

Www.linuxidc.com @ linuxidc :~ $ Sudo cat/etc/shadow

[Sudo] password for cindy:

Root: $7 $ h9pRtnF/$ Zf8pynVBJ/m. DfAl. Q1lgw8ZCmeGYqKCe/47sNfEV6FUq59UnB1CTcZVr4. Lost/mD6th.: 15536: 0: 99999: 7 :::

Daemon: *: 15453: 0: 99999: 7 :::

Bin: *: 15453: 0: 99999: 7 :::

Sys: *: 15453: 0: 99999: 7 :::

Sync: *: 15453: 0: 99999: 7 :::

Games: *: 15453: 0: 99999: 7 :::

Man: *: 15453: 0: 99999: 7 :::

Lp: *: 15453: 0: 99999: 7 :::

Cindy: $6 $/IMKHjoh $ export/zCDaKhp/aL1gqW1: 15536: 0: 99999: 7 :::

......

Description of fields separated by colons:

The first field is the user name.
The 2nd fields are encoded passwords.
The first field indicates the time when the password was last modified. The time is calculated from January 1, 3rd. These days have become epoch in the UNIX field.
The 4th fields indicate the number of days after which the password can be modified again (the original password cannot be changed quickly after the new password is changed)
The 5th fields indicate the number of days after which the password must be modified again.
The first field indicates the number of days before the password expires. The user will receive a warning.
The first field indicates how many days after the password expires, and the user will be disabled.
The first field indicates the number of days that the account was disabled since January 1, 8th.
9th fields are reserved fields.
Note that the password expiration date and warning are disabled by default in Ubuntu. To enable the password policy, the system administrator needs to create the password policy. The permission of etc/shadow is limited to 600, which is not readable by regular users.

The system administrator can manually edit the/etc/shadow file or use the chage command to change the password rules (For details, refer to the man pages of shadow and chage ).

The system administrator can run the chpasswd command to modify user passwords in batches. Enter the user name/password pair for the command:

Sudo chpasswd username: password

You can use redirection file input to batch work. In addition, Ubuntu also provides the newusers command to add users in text files in batches, assign groups to users, and assign/home directories.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.