Mastering Linux Password Management: Securing Your Digital Realm

Introduction

Password management is a critical aspect of maintaining system security in Linux environments. System administrators need to understand how to create and enforce secure password policies to protect user accounts and sensitive data from unauthorized access.

In this lab, you will learn how to use the passwd command to change user passwords and implement basic password policies. These fundamental skills are essential for anyone working with Linux systems, particularly in roles that involve user account management and system security.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL linux(("Linux")) -.-> linux/BasicFileOperationsGroup(["Basic File Operations"]) linux(("Linux")) -.-> linux/FileandDirectoryManagementGroup(["File and Directory Management"]) linux(("Linux")) -.-> linux/TextProcessingGroup(["Text Processing"]) linux(("Linux")) -.-> linux/UserandGroupManagementGroup(["User and Group Management"]) linux(("Linux")) -.-> linux/VersionControlandTextEditorsGroup(["Version Control and Text Editors"]) linux/BasicFileOperationsGroup -.-> linux/chmod("Permission Modifying") linux/FileandDirectoryManagementGroup -.-> linux/cd("Directory Changing") linux/TextProcessingGroup -.-> linux/grep("Pattern Searching") linux/UserandGroupManagementGroup -.-> linux/useradd("User Adding") linux/UserandGroupManagementGroup -.-> linux/passwd("Password Changing") linux/UserandGroupManagementGroup -.-> linux/id("User/Group ID Displaying") linux/VersionControlandTextEditorsGroup -.-> linux/nano("Simple Text Editing") subgraph Lab Skills linux/chmod -.-> lab-271347{{"Linux Password Changing"}} linux/cd -.-> lab-271347{{"Linux Password Changing"}} linux/grep -.-> lab-271347{{"Linux Password Changing"}} linux/useradd -.-> lab-271347{{"Linux Password Changing"}} linux/passwd -.-> lab-271347{{"Linux Password Changing"}} linux/id -.-> lab-271347{{"Linux Password Changing"}} linux/nano -.-> lab-271347{{"Linux Password Changing"}} end

Understanding the passwd Command

In Linux systems, the passwd command is used to change user passwords. This command allows users to change their own passwords, while system administrators can change passwords for any account on the system.

Creating a New User

Let's start by creating a new user that we can use for practicing password management. Open your terminal and make sure you are in the default working directory:

cd ~/project

Now, use the useradd command to create a new user named cyberuser:

sudo useradd cyberuser

This command creates a new user account but does not set a password for it. When you create a user without specifying a password, the account is usually locked by default.

You can verify that the user has been created by using the id command:

id cyberuser

You should see output similar to this:

uid=1001(cyberuser) gid=1001(cyberuser) groups=1001(cyberuser)

Setting a Password for the New User

Now that we have created a new user, let's set a password for this account using the passwd command:

sudo passwd cyberuser

After running this command, you will be prompted to enter a new password twice for confirmation:

New password:
Retype new password:
passwd: password updated successfully

Enter a password of your choice when prompted. For security purposes, the password you type will not be displayed on the screen.

The passwd command updates the password for the specified user account. When executed with sudo privileges, you can change the password for any user on the system.

Viewing Password Information

To view information about a user's password, including when it was last changed, you can use the chage -l command followed by the username:

sudo chage -l cyberuser

This command displays information about the user's password aging and expiration policies. The output will look similar to this:

Last password change                                    : Jul 15, 2023
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

This information is useful for understanding the current password policies applied to a user account.

Understanding Password Files in Linux

In Linux, password information is stored in several important system files. Understanding these files helps administrators manage user accounts effectively.

Navigate to your project directory:

cd ~/project

Let's examine the key files that store password and user account information:

First, look at the /etc/passwd file which contains basic user account information:

grep cyberuser /etc/passwd

You should see output similar to:

cyberuser:x:1001:1001::/home/cyberuser:/bin/sh

This line contains several fields separated by colons:

Username: cyberuser
Password placeholder: x (actual password is stored in /etc/shadow)
User ID (UID): 1001
Group ID (GID): 1001
User information field: (empty in this case)
Home directory: /home/cyberuser
Default shell: /bin/sh

Now, let's examine the shadow password file which contains encrypted password information:

sudo grep cyberuser /etc/shadow

The output will show the encrypted password and related information:

cyberuser:$6$xxxxxxxxxxxxxxxxxxx:19189:0:99999:7:::

The fields in this line include:

Username
Encrypted password
Days since Jan 1, 1970 that the password was last changed
Days before password may be changed
Days after which password must be changed
Days before password expiration to warn the user
Days after password expires until the account is disabled
Days since Jan 1, 1970 that the account has been disabled
A reserved field

This information is crucial for understanding how password security is implemented in Linux systems.

Enforcing Password Policies

Linux provides several tools to enforce password policies, which help maintain system security by ensuring users select strong passwords. In this step, you will learn how to implement basic password policies.

Setting Password Expiration

The chage command allows administrators to set password expiration policies. Navigate to your project directory:

cd ~/project

Let's set the maximum password age for our cyberuser account to 90 days:

sudo chage -M 90 cyberuser

This command sets the maximum number of days that a password remains valid before the user is required to change it.

You can also set a minimum password age, which prevents users from changing their passwords too frequently:

sudo chage -m 7 cyberuser

This command requires the user to wait at least 7 days before changing their password again.

Verify the changes you made:

sudo chage -l cyberuser

You should see the updated password policy information:

Last password change                                    : Jul 15, 2023
Password expires                                        : Oct 13, 2023
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 7
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7

Creating a Password Policy Script

Now, let's create a script that will implement more advanced password policies. Create a new file named cyberpolicy.sh:

nano ~/project/cyberpolicy.sh

Add the following content to the file:

#!/bin/bash

## Enforce password complexity
echo "password requisite pam_pwquality.so retry=3 minlen=8 difok=3" | sudo tee -a /etc/pam.d/common-password

## Set password expiration policy for all new users
echo "PASS_MAX_DAYS   90" | sudo tee -a /etc/login.defs
echo "PASS_MIN_DAYS   7" | sudo tee -a /etc/login.defs
echo "PASS_WARN_AGE   7" | sudo tee -a /etc/login.defs

echo "Password policy has been updated successfully."

Save the file by pressing Ctrl+O, then Enter, and exit nano with Ctrl+X.

Make the script executable:

chmod +x ~/project/cyberpolicy.sh

This script sets the following password policies:

Password complexity: Minimum 8 characters, at least 3 different characters from the previous password, with 3 retries allowed
Password expiration: 90-day maximum password age
Password change restriction: 7-day minimum password age
Password warning: 7 days before password expires

In a production environment, you would execute this script to apply these policies. However, for this lab, we'll just examine the content to understand how password policies can be implemented.

Summary

In this lab, you have learned essential skills for password management in Linux systems. You have practiced:

Creating a new user account using the useradd command
Setting and changing passwords with the passwd command
Viewing password information in system files like /etc/passwd and /etc/shadow
Setting password expiration policies using the chage command
Creating a script to enforce password complexity and expiration policies

These skills are fundamental for system administrators who need to maintain secure systems by implementing proper password management practices. By understanding how to enforce strong password policies, you can significantly enhance the security of Linux systems and protect them from unauthorized access.

As you continue your learning journey, consider exploring more advanced topics such as PAM (Pluggable Authentication Modules) configuration, implementing multi-factor authentication, and automating user account management in enterprise environments.

Linux Password Changing