passwd command in Linux is used to change the user account passwords. The root user reserves the privilege to change the password for any user on the system, while a normal user can only change the account password for his or her own account.
passwd [options] [username]
Command [root]: passwd user1
Note: sudo can be used to invoke root privileges by normal users, and can change the password for root itself. This is particularly helpful when a user is member of admin group (holds a position in sudoers list (/etc/sudoers) and can use commands with sudo) and the root password is not set, which is case with many common distributions of linux.
Command: sudo passwd root
Processing in passwd command:
- Verify current user password : Once the user enters passwd command, it prompts for current user password, which is verified against the password stored in /etc/shadow file user. The root user can bypass this step and can directly change the password, so as the forgotten passwords may be recovered.
- Verify password aging information : In Linux, a user password can be set to expire after a given period of time. Also, a user can be prohibited to change his/her password for a period. This password aging information (and the password itself) is stored in a file /etc/shadow.
- Change the password : After authentication, the user is prompted to enter the new password and verify it by retyping the password.
/etc/shadow file: The shadow file is a list of colon separated values with 9 fields, as shown below:
- field 1: User name.
- field 2: Encrypted Password.
- field 3: Number of days since January 1, 1970 to when the password was last changed.
- field 4: Minimum number of days for which password can not be changed. (value 0 means it can be changed anytime).
- field 5: Number of days after password must be changed. (value 99999 means that the password never expires).
- field 6: Number of days to warn user for expiring password.
- field 7: Number of days after password expires that the account is disabled.
- field 8: The number of days from January 1, 1970 to the date when an account was disabled.
- field 9: This field is reserved for some possible future use.
- -d, –delete: This option deletes the user password and makes the account password-less.
- -e, –expire: This option immediately expires the account password and forces the user to change password on their next login.
- -h, –help: Display help related to the passwd command.
- -i, –inactive INACTIVE_DAYS: This option is followed by an integer, INACTIVE_DAYS, which is the number of days after the password expires that the account will be deactivated.
example: passwd -i 3 user1
- -k, –keep-tokens: This option is used when you only want to change the password if it is expired. It keeps the authentication tokens for the authentication if the password is not yet expired, even if you requested to change it. Note that if the expiry period for a user is set to 99999, then this option will not keep tokens and the password will be changed.
- -l, –lock: Lock the password of user. This appends the encrypted password of the user with a character ‘!’, and thus making it unable to match with any of input password combinations. This does not disable the account but prevents the user from logging in using a password. Though other authentication methods like ssh keys can be used to login to the account.
- -n, –mindays MIN_DAYS: Change the minimum number of days between password changes to MIN_DAYS so that the user can’t change the password for MIN_DAYS.
- -q, –quiet: This option is used for quiet mode. While using this option to change a password, the message “Changing password for $user.”, which usually gets printed before changing a password, does not get echoed.
- -r, –repository REPO: This option is used to change password for repository named “REPO”.
- -R, –root CHROOT_DIR: Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory. This basically changes the root directory for the passwd process for once, and since CHROOT_DIR is a sub-directory of the root, it can not access the configuration files outside the CHROOT_DIR.
- -S, –status: Shows the password status (7 fields) of user in the following format:
user1 P 12/22/2018 0 99999 7 3
The first field is the user’s login name. The second field indicates if the user account has a locked password (L), has no Password (NP), or has a usable password (P). The third field gives the date of the last password change. The next four fields are the minimum age, maximum age, warning period, and inactivity period for the password. These ages are expressed in days.
-S [, –status] -a [, –all]: This combination of options shows password status for all users. Note that -a or –all cannot be used without -S option.
- -u, –unlock: Unlock the password of an account.
- -w, –warndays WARN_DAYS: This option is used to change the number of days before the password is to expire, to display the warning for expiring password.
- -x, –maxdays MAX_DAYS Set the maximum number of days for which the password remains valid. After MAX_DAYS, the password will expire and the user will be forced to change password.