{"id":57808,"date":"2021-12-20T11:24:00","date_gmt":"2021-12-20T16:24:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=57808"},"modified":"2024-12-17T15:31:28","modified_gmt":"2024-12-17T20:31:28","slug":"how-to-manage-user-passwords-on-linux-machines","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/how-to-manage-user-passwords-on-linux-machines","title":{"rendered":"How to Manage User Passwords on Linux Machines"},"content":{"rendered":"\n
Editor’s note: this article is intended to provide general direction on how one might manage user passwords on a Linux device and does not suggest the means by which JumpCloud handles these types of administrative and security tasks. For more information about how JumpCloud helps IT admins manage passwords across any operating system, check out this Help Center article<\/a>. <\/em><\/p>\n\n\n\n Using a password with an associated user account is the primary method of authentication in Linux and most UNIX systems. It\u2019s one of the few authentication methods supported by the SSH protocol<\/a> besides public key authentication, which requires admins to create a key pair<\/a> (public and private key) to authenticate a user with a remote system.\u00a0<\/p>\n\n\n\n However, unlike public key authentication, passwords are prone to breaches such as brute force attacks that can be executed using automated scripts. Passwords can also be forgotten which means that users get locked out of the system. Weak and easily guessable passwords such as \u201cPassword123\u201d can also present a security risk, and are often a consequence of password fatigue<\/a>.<\/p>\n\n\n\n Password management is, therefore, one of the top-of-mind tasks that any system administrator should carry out. This tutorial sheds light on some of the ways you can manage passwords on a Linux system.<\/p>\n\n\n\n One of the commands used in managing passwords is the Linux passwd<\/kbd> command. The command can be used to perform a wide range of password management operations. Let\u2019s have a glance at some of the operations you can carry out using the passwd<\/kbd> command.<\/p>\n\n\n\n On Debian\/Ubuntu systems, the adduser<\/kbd> command walks you through the creation of a new login user. It allows you to specify the username and password, alongside other details. For some Linux flavors such as CentOS, RHEL, and Fedora, you need to invoke the passwd<\/kbd> command to specify the user\u2019s password.<\/p>\n\n\n\n The syntax for creating or changing a password takes the following format:<\/p>\n\n\n\n If you are logged in as a sudo user, you need to invoke sudo<\/kbd> before the command as follows:<\/p>\n\n\n\n Suppose you have a user called jack<\/kbd>. To change the user\u2019s password simply execute the command:<\/p>\n\n\n\n You can also change your own password by simply running the command without any arguments.<\/p>\n\n\n\n Picture a situation where you have an employee who has been offboarded and you are required to deactivate their account. The best approach to take is to lock the account or deactivate the password. This prevents the user from accessing or logging into their account. <\/p>\n\n\n\n To deactivate the password or lock the account, use the -l<\/kbd> option as follows:<\/p>\n\n\n\n For instance, to lock Jack\u2019s account and prevent him from logging in, execute the command:<\/p>\n\n\n\n This is the exact opposite of locking a user\u2019s account. To unlock an account, pass the -u<\/kbd> option as follows:<\/p>\n\n\n\n To unlock Jack\u2019s account run the command:<\/p>\n\n\n\n A security practice often recommended is the regular rotation of users’ passwords. The primary reason for doing so is to avoid account compromise, and ensure that only authorized users are the ones using credentials to log in. While NIST no longer recommends rotating passwords, many organizations still are required by their security policies.It\u2019s generally recommended that you update your password once a month.<\/p>\n\n\n\n You can enforce an immediate expiry of a user\u2019s password using the -e<\/kbd> option. This allows them to set a stronger password from their end.<\/p>\n\n\n\n For example, to expire Jack\u2019s password immediately and allow him to change his password run the command:<\/p>\n\n\n\n The next time Jack tries to log in via SSH, he will be required to reset or change his password.<\/p>\n\n\n\n To ensure that users regularly update their passwords, you can enforce a password change after a maximum number of days (MAX_DAYS) using the -x<\/kbd> option.<\/p>\n\n\n\n In the following example, Jack\u2019s password is only valid after 90 days, after which he will be compelled to set a new password.<\/p>\n\n\n\n Additionally, you can set the minimum number of days (MIN_DAYS) using the -n<\/kbd> option. This is the minimum number of days before a user can change their password. Enforcing a minimum password age discourages users from reusing old passwords, which is a bad security practice.<\/p>\n\n\n\n Here, Jack can only change the password after every 90 days and not earlier than that.<\/p>\n\n\n\n Additionally, you can set the minimum number of days before a user gets notified about an impending expiry of their password. The -w<\/kbd> option helps you to accomplish this.<\/p>\n\n\n\n In the example below, Jack will start to receive a warning about his password expiry from day 7 prior to the actual date of the password expiry date.<\/p>\n\n\n\n Using the -i<\/kbd> option, you can set the number of days after the password expiry before the user account is disabled.<\/p>\n\n\n\n In the following example, Jack\u2019s account will be disabled after 5 days of the password expiry if he doesn\u2019t change his password.<\/p>\n\n\n\n To display information about password expiration and aging use the chage<\/kbd> command with the -l<\/kbd> option.<\/p>\n\n\n\n So far, we\u2019ve presented the various ways you can manage users\u2019 passwords using the passwd<\/kbd> and chage<\/kbd> commands. However, these password management tools do not address the issue of weak passwords \u2014 a glaring security risk that can comprise your system.<\/p>\n\n\n\n When setting a strong password, key aspects to consider include the password length and types of characters used. <\/p>\n\n\n\n Common attributes of a robust and secure password include:<\/p>\n\n\n\n A password is considered weak if:<\/p>\n\n\n\n As mentioned earlier, weak user passwords can put your system at risk of a cyberattack. Strong user password enforcement will go a long way in making it harder for nefarious parties to breach your system.<\/p>\n\n\n\n PAM, short for pluggable authentication modules, is a suite of libraries that sits between applications and the native Linux authentication mechanism. It\u2019s the core of user authentication for modern Linux distributions. It provides a centralized way of selecting authentication methods for applications by leveraging configuration files.<\/p>\n\n\n\n In modern Linux systems such as Debian, CentOS, and Fedora, PAM comes enabled by default.<\/p>\n\n\n\n On Debian\/Ubuntu you need to install an additional module known as libpam-cracklib<\/kbd>. To achieve this, run the command:<\/p>\n\n\n\n Password policies are specified in the common-password<\/kbd> configuration file. But before you make any changes to the file, back it up so you can roll back the changes made should something go wrong.<\/p>\n\n\n\n In our case, we\u2019ve made an extra copy of the file and named it common-password.bak<\/kbd>.<\/p>\n\n\n\n Using your preferred text editor, open the common-password<\/kbd> configuration file.<\/p>\n\n\n\n Locate and uncomment the following line:<\/p>\n\n\n\n Next, define your password policy by adding the line shown. This spells out the conditions to be met when creating new user passwords.<\/p>\n\n\n\n Let\u2019s break down the line and see what each option represents:<\/p>\n\n\n\n retry=3<\/kbd>: This is the maximum number of retries allowed when changing a user’s password. The default is usually 1.<\/p>\n\n\n\n minlen=14<\/kbd>: This is the minimum acceptable number of characters for a new password.<\/p>\n\n\n\n lcredit=1<\/kbd>: The option sets the minimum number of lowercase characters that a password should have to one.<\/p>\n\n\n\n ucredit=1<\/kbd>: This sets the minimum number of uppercase characters in a password to at least one.<\/p>\n\n\n\n dcredit=1<\/kbd>: The option sets the minimum number of numeric characters or digits in a password to one.<\/p>\n\n\n\n ocredit=1<\/kbd>: The option sets the minimum number of special symbols e.g., !, @.$,# etc. in a password to at least one.<\/p>\n\n\n\n difok=2<\/kbd>:This sets the minimum number of characters in the new password that must be different from the old password to two.<\/p>\n\n\n\n reject_username<\/kbd>: This prevents users from including their usernames in a password.<\/p>\n\n\n\n As stipulated in the password policy, users would have to set a new password with a minimum length of 14 characters, and the password should include one uppercase, lowercase, numeric, and special character. Further, the new password should not include the users\u2019 usernames.<\/p>\n\n\n\n To test drive our password policy, try changing your current password to a new weak password or one which is not compliant with the newly set policy.<\/p>\n\n\n\n The output shown below points out failed attempts at setting a new password which does not meet the minimum requirements laid out by the new password policy.<\/p>\n\n\n\n As you can see, you will be unable to set a new password unless you fully comply with the newly configured password policy. This is an ideal way of ensuring that users only set strong passwords which make it more difficult for hackers to breach the system.<\/p>\n\n\n\n And there you go! You have successfully enforced the use of robust and secure passwords using the PAM library suite.<\/p>\n\n\n\n To further mitigate break-ins to your servers using brute force attacks, here are some of the extra steps you can take to bolster password authentication with an extra layer of security.<\/p>\n\n\n\n Fail2ban<\/a> is an open source intrusion detection application that safeguards your Linux machines from brute force attacks. It works by blocking IP addresses after a certain number of password failures which is typical of brute force attacks. It monitors authentication logs and picks out many signs of malicious activity and applies the ban based on configured rules.<\/p>\n\n\n\n The SSH protocol provides a wide range of security controls to harden the security of your system. If you decide to go with password authentication, then you can configure SSH to allow and deny connections from certain groups and users. For instance, you can disallow remote root login and only allow connection from specific users.<\/p>\n\n\n\n Lastly, you can enable multi-factor authentication (MFA)<\/a>, also known as two-factor authentication (2FA), to provide an extra layer of protection by having a time-based one-time password (TOTP) or push notification sent to your mobile device after authenticating with your password.<\/p>\n\n\n\n Free authenticator apps like JumpCloud Protect\u2122<\/a> make it easy to layer MFA across not just Linux devices, but MacOS and Windows devices, as well as SSH sessions. Download the app from the iOS App Store<\/a> or the Google Play Store<\/a> today to get started.<\/p>\n","protected":false},"excerpt":{"rendered":" This tutorial sheds light on some of the ways you can manage passwords on a Linux system.<\/p>\n","protected":false},"author":131,"featured_media":57818,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[23],"tags":[2377,2372,2388],"collection":[2778],"platform":[],"funnel_stage":[3017],"coauthors":[2568],"acf":[],"yoast_head":"\n
\n\n\n\nManage Passwords Using the passwd<\/kbd> Command<\/h2>\n\n\n\n
Create or Change User Passwords<\/h3>\n\n\n\n
# passwd username<\/code><\/p>\n\n\n\n
$ sudo passwd username<\/code><\/p>\n\n\n\n
$ sudo passwd jack<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
$ passwd<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Lock a User’s Account or Password<\/h3>\n\n\n\n
# passwd -l username<\/code><\/p>\n\n\n\n
$ sudo passwd -l jack<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Unlock a User’s Account or Password<\/h3>\n\n\n\n
# passwd -u username<\/code><\/p>\n\n\n\n
$ sudo passwd -u jack<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Configure a User’s Password Expiry<\/h3>\n\n\n\n
# sudo passwd -e username<\/code><\/p>\n\n\n\n
$ sudo passwd -e jack<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Enforce Password Change After Max Number of Days<\/h3>\n\n\n\n
$ sudo passwd -x 90 jack<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Set the Minimum Number of Days Before a Password Expires<\/h3>\n\n\n\n
$ sudo passwd -n 90 jack<\/code><\/p>\n\n\n\n
$ sudo passwd -w 7 jack<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Disable an Account Based on Password Expiry<\/h3>\n\n\n\n
$ sudo passwd -i 5 jack<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Display Information About Password Expiration<\/h3>\n\n\n\n
$ sudo chage -l jack<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
How to Enforce Strong Passwords Using the PAM Module<\/strong><\/h2>\n\n\n\n
Characteristics of a Strong Password<\/strong><\/h3>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
What Is the PAM Module?<\/strong><\/h3>\n\n\n\n
How to Use PAM to Enforce User Password Complexity<\/strong><\/h3>\n\n\n\n
$ sudo apt install libpam-cracklib<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
$ sudo cp \/etc\/pam.d\/common-password \/etc\/pam.d\/common-password.bak<\/code><\/p>\n\n\n\n
$ sudo nano \/etc\/pam.d\/common-password<\/code><\/p>\n\n\n\n
password requisite pam_cracklib.so retry=3 minlen=8 difok=3<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
password required pam_cracklib.so try_first_pass retry=3 minlen=14 lcredit=1 ucredit=1 dcredit=2 ocredit=1 difok=2 reject_username<\/code><\/p>\n\n\n\n
<\/figure>\n\n\n\n
Verifying the Password Complexity<\/strong><\/h3>\n\n\n\n
<\/figure>\n\n\n\n
What More Can You Do?<\/strong><\/h2>\n\n\n\n
\n
\n
\n
\n\n\n\n