How to set password expiration policies for Linux user accounts

LinuxLinuxBeginner
Practice Now

Introduction

This tutorial covers the key aspects of Linux password policies, including understanding password complexity requirements, configuring password expiration settings, and monitoring and auditing password policies. Mastering these techniques is essential for system administrators and security professionals to maintain the security and integrity of user accounts on Linux systems.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("`Linux`")) -.-> linux/SystemInformationandMonitoringGroup(["`System Information and Monitoring`"]) linux(("`Linux`")) -.-> linux/UserandGroupManagementGroup(["`User and Group Management`"]) linux/SystemInformationandMonitoringGroup -.-> linux/crontab("`Job Scheduling`") linux/UserandGroupManagementGroup -.-> linux/useradd("`User Adding`") linux/UserandGroupManagementGroup -.-> linux/userdel("`User Removing`") linux/UserandGroupManagementGroup -.-> linux/usermod("`User Modifying`") linux/UserandGroupManagementGroup -.-> linux/passwd("`Password Changing`") linux/UserandGroupManagementGroup -.-> linux/sudo("`Privilege Granting`") linux/SystemInformationandMonitoringGroup -.-> linux/date("`Date/Time Displaying`") linux/SystemInformationandMonitoringGroup -.-> linux/time("`Command Timing`") linux/SystemInformationandMonitoringGroup -.-> linux/service("`Service Managing`") subgraph Lab Skills linux/crontab -.-> lab-414806{{"`How to set password expiration policies for Linux user accounts`"}} linux/useradd -.-> lab-414806{{"`How to set password expiration policies for Linux user accounts`"}} linux/userdel -.-> lab-414806{{"`How to set password expiration policies for Linux user accounts`"}} linux/usermod -.-> lab-414806{{"`How to set password expiration policies for Linux user accounts`"}} linux/passwd -.-> lab-414806{{"`How to set password expiration policies for Linux user accounts`"}} linux/sudo -.-> lab-414806{{"`How to set password expiration policies for Linux user accounts`"}} linux/date -.-> lab-414806{{"`How to set password expiration policies for Linux user accounts`"}} linux/time -.-> lab-414806{{"`How to set password expiration policies for Linux user accounts`"}} linux/service -.-> lab-414806{{"`How to set password expiration policies for Linux user accounts`"}} end

Understanding Linux Password Policies

Linux password policies are a set of rules and configurations that govern the behavior of user passwords on a Linux system. These policies are crucial for maintaining the security and integrity of user accounts, preventing unauthorized access, and ensuring compliance with organizational security standards.

Understanding the basic concepts of Linux password policies is essential for system administrators and security professionals. This section will explore the key aspects of password policies, including password complexity requirements, password expiration, and password history.

Password Complexity Requirements

Linux password policies typically include rules for password complexity, such as minimum length, character composition (e.g., requiring a combination of uppercase, lowercase, numbers, and special characters), and restrictions on the use of common or easily guessable passwords. These requirements help ensure that user passwords are strong and resistant to brute-force attacks.

To configure password complexity requirements on Ubuntu 22.04, you can use the pwquality package. Here's an example of how to set the minimum password length to 8 characters and require at least one uppercase, one lowercase, and one numeric character:

sudo apt-get install libpam-pwquality
sudo sed -i 's/minlen = 8/minlen = 8/g' /etc/security/pwquality.conf
sudo sed -i 's/dcredit = -1/dcredit = -1/g' /etc/security/pwquality.conf
sudo sed -i 's/ucredit = -1/ucredit = -1/g' /etc/security/pwquality.conf
sudo sed -i 's/lcredit = -1/lcredit = -1/g' /etc/security/pwquality.conf

After making these changes, the new password complexity requirements will be enforced for all user accounts.

Password Expiration

Linux password policies often include settings for password expiration, which require users to change their passwords after a specified period of time. This helps mitigate the risk of compromised passwords and ensures that user credentials remain up-to-date.

To configure password expiration settings on Ubuntu 22.04, you can use the chage command. For example, to set the password expiration period to 90 days for a user named "john", you can run the following command:

sudo chage -M 90 john

This will set the maximum password age for the user "john" to 90 days, after which the user will be prompted to change their password.

Password History

Password history policies in Linux keep track of the previous passwords used by a user and prevent them from reusing the same password within a specified period. This helps ensure that users do not recycle old, potentially compromised passwords.

To configure password history on Ubuntu 22.04, you can use the libpam-pwhistory package. Here's an example of how to set the password history to remember the last 5 passwords and prevent their reuse for 365 days:

sudo apt-get install libpam-pwhistory
sudo sed -i 's/remember=5/remember=5/g' /etc/security/pwhistory.conf
sudo sed -i 's/enforce_for_root/enforce_for_root/g' /etc/security/pwhistory.conf
sudo sed -i 's/expire=365/expire=365/g' /etc/security/pwhistory.conf

After making these changes, the new password history policy will be enforced for all user accounts.

Configuring Password Expiration Settings

Configuring password expiration settings is a crucial aspect of managing user accounts and maintaining the security of a Linux system. By enforcing password expiration policies, you can ensure that user credentials are regularly updated, reducing the risk of compromised passwords and unauthorized access.

In this section, we will explore the process of configuring password expiration settings on Ubuntu 22.04 using the chage command.

Setting Password Expiration Period

The chage command allows you to set the maximum password age for a user account, after which the user will be prompted to change their password. To set the password expiration period for a user named "john" to 90 days, you can run the following command:

sudo chage -M 90 john

This command sets the maximum password age for the user "john" to 90 days. After this period, the user will be required to change their password.

Enforcing Password Expiration

To ensure that password expiration policies are enforced across your system, you can configure the default password expiration settings for all new user accounts. This can be done by modifying the /etc/login.defs file, which contains system-wide configuration settings for user accounts.

Here's an example of how to set the default password expiration period to 90 days:

sudo sed -i 's/PASS_MAX_DAYS\s*99999/PASS_MAX_DAYS 90/g' /etc/login.defs

This change will apply the 90-day password expiration policy to all new user accounts created on the system.

Monitoring Password Expiration

To monitor the password expiration status of user accounts, you can use the chage command with the -l option. This will display the current password expiration settings for a specific user account.

For example, to check the password expiration details for the user "john", you can run the following command:

sudo chage -l john

This will provide information about the user's password expiration date, the number of days until the password expires, and other relevant details.

By configuring and monitoring password expiration settings, you can effectively manage user account security and ensure that user credentials are regularly updated, reducing the risk of unauthorized access and data breaches.

Monitoring and Auditing Password Policies

Monitoring and auditing password policies are essential for ensuring the ongoing security and compliance of your Linux system. By regularly reviewing and analyzing password-related data, you can identify potential vulnerabilities, detect policy violations, and take appropriate actions to maintain the integrity of your user accounts.

Monitoring Password Expiration

To monitor the password expiration status of user accounts, you can use the chage command with the -l option. This will display the current password expiration settings for a specific user account.

For example, to check the password expiration details for the user "john", you can run the following command:

sudo chage -l john

This will provide information about the user's password expiration date, the number of days until the password expires, and other relevant details.

You can also generate a report of all user accounts and their password expiration status by using the following script:

#!/bin/bash

echo "Username,Password Expiration Date,Days Until Expiration"
for user in $(awk -F: '$3 >= 1000 {print $1}' /etc/passwd); do
    expiration_date=$(chage -l "$user" | grep "Password expires" | awk -F": " '{print $2}')
    days_until_expiration=$(chage -l "$user" | grep "days)" | awk -F")" '{print $1}')
    echo "$user,$expiration_date,$days_until_expiration"
done

This script will output a CSV-formatted report with the username, password expiration date, and the number of days until the password expires for each user account.

Auditing Password Policies

To audit the password policies in place on your Ubuntu 22.04 system, you can review the configuration files and settings that govern password-related rules.

The main configuration file for password policies is /etc/security/pwquality.conf. You can review the settings in this file to ensure that the password complexity requirements are aligned with your organization's security standards.

Additionally, you can use the pwck command to check the integrity of the password-related files and settings. This command will report any inconsistencies or errors in the password policy configuration.

sudo pwck

The output of this command will provide information about any issues or potential security risks related to the password policies on your system.

By regularly monitoring and auditing your password policies, you can maintain the security and compliance of your Linux system, ensuring that user accounts are properly protected and that any policy violations are promptly addressed.

Summary

Linux password policies are crucial for ensuring the security and integrity of user accounts. By understanding password complexity requirements, configuring password expiration settings, and regularly monitoring and auditing password policies, you can effectively mitigate the risk of unauthorized access and comply with organizational security standards. This tutorial has provided you with the necessary knowledge and practical steps to implement and manage robust password policies on your Linux system.

Other Linux Tutorials you may like