This tutorial explains how to use the Linux passwd command to change a user password or disable an account.
You’re assigned a ticket: A simple password reset, but it’s for a Linux machine. What do you need to know to reset a password on Linux?
First the basics. For users, the passwd authentication token is store in the /etc/shadow file. For groups, it’s stored in the appropriately named /etc/gshadow file.
passwd allows you to change passwords for either. The normal usage of passwd is:
- Reset password
- Expire, lock, and disable an account
- Reset your own account
Let’s dig into the options.
When entered into the terminal, this will prompt you to change your own password.
Changing password for samuelberry. Current password: Enter new password: Retype new password: passwd: password updated succesfully
Simple enough. You’re first prompted with entering your current password. The password’s hash is compared to the hash stored in the shadow file. Then, the password is compared against complexity requirements.
Alright, now we need to reset another user’s password. It’s simple and the prompts will be the same except one.
sudo passwd samuelberry
Now the output skips the password step. As we’re using root privileges to control the account.
Enter new password: Retype new password: passwd: password updated succesfully
Updating my own password, as the root user. It’s the same process as editing another account.
You could also check the pam_tally2 history to check for a locked account. Or cat the /etc/shadow file to see if the account is also locked or disabled.
The process for a group is the same, but requires the extra [-g] flag.
Disable an Account
Let’s assume a user has requested that their account be disabled. They’ll be out for thirty days of travel and need to secure it before they go.
There we go, account locked [-l] and expired [-e]. I prefer to expire the account as well. That way if the account is compromised, you can monitor account activity.
If the account’s password is reset while the user is out, you can configure an alert for the activity. To verify the account is locked:
We’ve covered how to change a users’ password using the passwd command and how to disable and expire an account. Simple enough.
There are some additional steps required in performing a system recovery. If you’ve locked out your server, chances are you’ll need to enter single-user-mode. Or if you’re working with LDAP accounts, Microsoft AD accounts, you’ll need to reset the password from the directory.