Change passwords and adjust password aging for local user accounts

Password configuration

password aging requires users to change their password periodically. Use the chage to configure password expiration. The syntax is :
# chage [options] user_name
– When you fire the command chage, the currently set options are displayed as well.
# chage oracle
Changing the aging information for oracle
Enter the new value, or press ENTER for the default

 Minimum Password Age [14]:
 Maximum Password Age [30]:
 Last Password Change (YYYY-MM-DD) [2016-08-23]:
 Password Expiration Warning [7]:
 Password Inactive [-1]:
 Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
Password expiration information is stored in /etc/shadow file.
# grep oracle /etc/shadow
oracle:$6$H28sLVDL$iNvp/AvbMeqqrslH2bfmTxJpE6.mO8UNzlIXGB3sp87jZP9dW1DxeoLf2QXR7hkLkomuXbtgO1zPKUEYRY8YI1:15284:14:30:7:::
As shown above the oracle user has minimum password age of 14 and maximum password age of 30 – It means that in 14 days the user will have 30 days to change the password. Also the user is warned to change the password 7 days prior to password expiry date.

chage options

Number of options are available in chage command. To list aging information :
# chage -l geek
Last password change     : Sep 18, 2016
Password expires     : never
Password inactive     : never
Account expires      : never
Minimum number of days between password change  : 0
Maximum number of days between password change  : 99999
Number of days of warning before password expires : 7
To force a user to set a new password immediately (force immediate expiration), set the last password change value to 0 :
# chage –d 0 geek

authconfig

The Linux user password hashing algorithm is also configurable. Use the authconfig command to determine the current algorithm being used, or to set it to something different. To determine the current algorithm:
# authconfig --test | grep hashing
 password hashing algorithm is sha512
To change the algorithm, use the –passalgo option with one of the following as a parameter: descrypt, bigcrypt, md5, sha256, or sha512, followed by the –update option.
# authconfig --passalgo=md5 --update

/etc/login.defs file

/etc/login.defs file provides default user account settings. Default values include:
  • Location of user mailboxes
  • Password aging controls
  • Values for automatic UID selection
  • Values for automatic GID selection
  • User home directory creation options
  • umaskvalue
  • Encryption method used to encrypt passwords
Sample /etc/login.defs file :


# cat /etc/login.defs
.....
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
......
GID_MIN                  1000
GID_MAX                 60000
.....
UID_MIN                  1000
UID_MAX                 60000

0 comments:

Post a Comment