Password configuration
password aging requires users to change their password periodically. Use the chage to configure password expiration. The syntax is :
# chage [options] user_name
– When you fire the command chage, the currently set options are displayed as well.
# chage oracle Changing the aging information for oracle Enter the new value, or press ENTER for the default Minimum Password Age [14]: Maximum Password Age [30]: Last Password Change (YYYY-MM-DD) [2016-08-23]: Password Expiration Warning [7]: Password Inactive [-1]: Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
Password expiration information is stored in /etc/shadow file.
# grep oracle /etc/shadow oracle:$6$H28sLVDL$iNvp/AvbMeqqrslH2bfmTxJpE6.mO8UNzlIXGB3sp87jZP9dW1DxeoLf2QXR7hkLkomuXbtgO1zPKUEYRY8YI1:15284:14:30:7:::
As shown above the oracle user has minimum password age of 14 and maximum password age of 30 – It means that in 14 days the user will have 30 days to change the password. Also the user is warned to change the password 7 days prior to password expiry date.
chage options
Number of options are available in chage command. To list aging information :
# chage -l geek Last password change : Sep 18, 2016 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
To force a user to set a new password immediately (force immediate expiration), set the last password change value to 0 :
# chage –d 0 geek
authconfig
The Linux user password hashing algorithm is also configurable. Use the authconfig command to determine the current algorithm being used, or to set it to something different. To determine the current algorithm:
# authconfig --test | grep hashing password hashing algorithm is sha512
To change the algorithm, use the –passalgo option with one of the following as a parameter: descrypt, bigcrypt, md5, sha256, or sha512, followed by the –update option.
# authconfig --passalgo=md5 --update
/etc/login.defs file
/etc/login.defs file provides default user account settings. Default values include:
- Location of user mailboxes
- Password aging controls
- Values for automatic UID selection
- Values for automatic GID selection
- User home directory creation options
- umaskvalue
- Encryption method used to encrypt passwords
Sample /etc/login.defs file :
# cat /etc/login.defs ..... PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 ...... GID_MIN 1000 GID_MAX 60000 ..... UID_MIN 1000 UID_MAX 60000