Wednesday, 15 June 2016

RHEL PASSWORD POLICY

Linux turn OFF password expiration / aging


/etc/shadow stores actual password in encrypted format for user’s account with additional properties related to user password.
The password expiration information for a user is contained in the last 6 fields. Password expiration for a select user can be disabled by editing the /etc/shadow file
However I recommend using chage command. The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.
To list current aging type chage command as follows:
# chage -l oracle
Output:
Last password change                                    : May 22, 2007
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

To disable password aging / expiration for user foo, type command as follows and set:
Minimum Password Age to 0
Maximum Password Age to 99999
Password Inactive to -1
Account Expiration Date to -1
Interactive mode command:

# chage username

OR
# chage -I -1 -m 0 -M 99999 -E -1 username
Updated for accuracy.

There are few commands which I know can be used to see if any user account on your Linux machine is locked.

Case 1: Password Locked

In this case the password of any account is locked using the below command.

To lock the password

# passwd -l user1
Locking password for user user1.
passwd: 
Success


Review the status in /etc/shadow

# grep user1 /etc/shadow user1:!!$6$ciJaoDR9$Qpt9sctRLjbZ4/Agxy9UOvu/XQqNrFo9rpgfZ/xrF/8JphkEvF29ITpef0SVLdJcrpv8Q/.6mRAHee4tZT0r11:16299:0:99999:7:::

As you can see above two exclamation mark (!!) before the encrypted password which means that the password has been locked

To unlock the password

# passwd -u user1
Unlocking password for user user1.
passwd: Success

Case 2: Account is Locked
In this case the user account might have been locked by the administrator

To lock an account

# usermod -L user1

Review your /etc/shadow file for the changes

# grep user1 /etc/shadow
user1:
!$6$ciJaoDR9$Qpt9sctRLjbZ4/Agxy9UOvu/XQqNrFo9rpgfZ/xrF/8JphkEvF29ITpef0SVLdJcrpv8Q/.6mRAHee4tZT0r11:16299:0:99999:7:::

As you see an extra single exclamation mark(!) appeared in the password section before the encrypted password starts which signifies that the user account is locked

To unlock a user account

# usermod -U user1

Case 3: Password never set
This can also be the scenario where the administrator has no assigned any password due to which the user is not able to login

So to verify this again you need to check your 
/etc/shadow file
# grep user1 /etc/shadow
user1:
!!:16299:0:99999:7:::

As you see two exclamation mark(!!) is there but no encrypted password which means a password is not set.

If the password was set without lock your 
/etc/shadow would look like something below
# grep user1 /etc/shadow
user1:
$6$ciJaoDR9$Qpt9sctRLjbZ4/Agxy9UOvu/XQqNrFo9rpgfZ/xrF/8JphkEvF29ITpef0SVLdJcrpv8Q/.6mRAHee4tZT0r11:16299:0:99999:7:::

Check the lock status of any Linux Account
Now one single command to see the lock status of the user
# passwd -S user1
user1 LK 2014-08-17 0 99999 7 -1 (
Password locked.)
If the user account is unlocked you will output like below

# passwd -S user1
user1 PS 2014-08-17 0 99999 7 -1 (Password set, SHA512 crypt.)

No comments: