passwd
change user password
see also :
chpasswd - usermod
Synopsis
add an example, a script, a trick and tips
examples
source
Trying to change a Ubuntu user's password, authentication token manipulation error
Check the permissions on your /etc/shadow file. They must be set
to 000 or you cannot edit user password data
source
Linux (redhat) how to change password to previous password
Either enter the password as root, or modify the PAM
configuration to relax the password requirements. Either way,
this is something that only root can do.
root $ useradd rohit
root $ passwd rohit
new password = 123456
password set...
su - rohit
rohit $ passwd
enter unix password = 654321
authentication token manipulation error ------
example added by rohit
source
Prevent linux user from changing their password in ssh
Do chmod go-rx /usr/bin/passwd
Normal users can then
not run passwd. If you want some users to be able to, you can put
them in a special group perhaps.
source
login login.gdb
passwd passwd.gdb
source
Does the root account always have UID/GID 0?
There are actually two parts to your question.
Does the superuser account always have uid/gid 0/0 on Linux?
Yes. As is pointed out by Rich Homolka
in
a comment, there's code in the kernel which explicitly checks
for uid 0 when needing to check for the root user, which means
that root always has at least uid 0.
Is the name of the user account with uid 0 always
root
?
No. root
is just a name, listed in
/etc/passwd or some other authentication store. You could just as
well call the account admin
, and the OS itself won't
care, but some applications might not quite like it because they
expect there to exist a privileged account named
root
. Calling the uid 0 account on a *nix
root
is a very strongly held convention, but it
isn't required by the system.
It's also worth noting that, as pointed out by Simon
Richter, on BSDs there often exists a second uid 0
account, by convention named toor
(which is "root"
spelled backwards). For example, FreeBSD uses it to provide a root user with a
customized shell setting, leaving the root user with a default
shell which is guaranteed to exist on the system's root
partition (useful for recovery purposes).
source
Cannot lock /etc/passwd; try again later
That's because you don't have permissions for those operations
- You can't read
/etc/shadow
- You can't directly modify
/etc/passwd
You can change both files through specialized commands (e.g you
can change your password).
source
Reset user passwd when you don't know it
source
How to restore the /etc/passwd file?
Maybe this: When the bootloader shows up, add
init=/bin/bash
to the kernel parameters. Instead of booting normally (with the
init process spawning all the other services including login),
you should end up in single-user mode with a root shell (no
password is asked) and be able to restore the passwd file. On
some distributions you may need to manually remount the root
partition in read/write mode before moving the file:
mount -o remount,rw /dev/sda123
(I don't want to test your issue and see if this solution works
:)
source
how to add a SMB (samba) password for a user in Debian, when there is no smbpasswd binary?
Looks like it's in the samba-common-bin
package:
package page, filelist
Appears this was spun out of samba-common
with
version 2:3.4.0~pre2-1 of the samba
source package
(changelog):
samba (2:3.4.0~pre2-1) experimental; urgency=low
[ Jelmer Vernooij ]
* Split binaries out of samba-common into samba-common-bin.
Closes: #524661
source
Renamed root in /etc/passwd and now sudo does not work
Try :
sudo -u new_wrong_root_user
If you can't, reboot on a live-cd, then in terminal :
mkdir target
mount /dev/sda1 target # sda1 if / is the first partition of the first drive
vim target/etc/passwd
source
passwd/shadow or group/gshadow mismatch?
Why would you use Excel?
cut -d: -f1 /etc/passwd | sort > p.out
sudo cut -d: -f1 /etc/shadow | sort > s.out
diff p.out s.out
rm p.out s.out
Or in Bash:
diff <(cut -d: -f1 /etc/passwd | sort) <(sudo cut -d: -f1 /etc/shadow | sort)
and you can do the same kind of thing for /etc/group
and /etc/gshadow
.
You need to run GUI System>Administration>Users and
Groups
with elevated permissions. Is it asking you for a
password?
source
how to share Linux user passwords and Samba passwords
Use PAM's support module for /etc/passwd.
Update:
There is a fundamental reason why you cannot unify these
authentication mechanisms in any simple way.
- Unix and Linux /etc/passwd authentication requires that the
user's password be presented to the server. This can be within an
encrypted channel (as in SSH password authentication when not
using private-key authentication).
- NTLM and MS-Kerberos authentication don't transmit passwords
they transmit a hash of a password and the authenticating server
takes it's copy of the user's password, constructs a hash using
the same algorithm and compares the hash result with the hash
presented by the client. Since /etc/passwd doesn't store
passwords and uses a different hashing algorithm, /etc/passwd has
insufficient information for authenticating NTLM/Kerberos
clients.
- Really old SMB authentication protocols pass the password (in
plaintext, i.e. unprotected) and a SMB server can therefore
compute a /etc/passwd type hash of this and compare it to the
hash stored in /etc/passwd.
From the above it follows that you need a separate file to store
passwords (smbpasswd) or a domain controller if you want to avoid
plain text passwords transiting your LAN.
source
How can I automatically pass the password to 'su'?
Your exploit could also write to the groups file and make the
current user part of the 'wheel' group (or whatever group can run
sudo
commands w/o a password). Then you'll be able
to sudo su root
(or any other user) w/o a password.
Running visudo
should give you some direction on the
setup of the 'wheel' group on your machine.
To clarify: once a user becomes part of the wheel group, they can
run sudo commands without needing a password.
source
passwd pauses after bad password has been entered
Yes, the delay is a protection against brute force, and is around
3 seconds.
The reason why it doesn't appear in the passwd man, is because it
is controlled by the authentication backend - usually
pam
.
man pam_unix
Shows you can set a nodelay
to eliminate the delay.
You can also set applications specific delays in
pam_faildelay
man pam_faildelay
These settings are all managed in
/etc/pam.d/*
source
Use Qemu & chroot to reset password on mounted external disk
This is probably a useful starting point, because it includes
instructions for dealing with mirrored drives: http://forums.seagate.com/t5/BlackArmor-NAS-Network-Storage/SSH-root-access-for-BlackArmor-NAS/td-p/108264
A quick and dirty solution if the NAS uses a standard
/etc/passwd
and /etc/shadow
files (this
depends on its /etc/nsswitch.conf
as well as its pam
configuration in /etc/pam.conf
and
/etc/pam.d/*
), is to simply delete the root password
there: assuming you've mounted the NAS root partition as
/mnt
, then edit /mnt/etc/shadow
to
clear the password field (change a line starting
root:<hashed_password>:...
to
root::...
.
Remember that you absolutely must log into the
NAS, become root (if you get a password prompt, just hit return)
and set a new password before reattaching it to a shared network
(let alone the internet), because root has an empty password!
description
The
passwd command changes passwords for user accounts. A
normal user may only change the password for his/her own
account, while the superuser may change the password for any
account. passwd also changes the account or
associated password validity period.
Password
Changes
The user is first prompted for his/her old password, if one
is present. This password is then encrypted and compared
against the stored password. The user has only one chance to
enter the correct password. The superuser is permitted to
bypass this step so that forgotten passwords may be
changed.
After the
password has been entered, password aging information is
checked to see if the user is permitted to change the
password at this time. If not, passwd refuses to
change the password and exits.
The user is
then prompted twice for a replacement password. The second
entry is compared against the first and both are required to
match in order for the password to be changed.
Then, the
password is tested for complexity. As a general guideline,
passwords should consist of 6 to 8 characters including one
or more characters from each of the following sets:
• lower
case alphabetics
• digits 0
thru 9
•
punctuation marks
Care must be
taken not to include the system default erase or kill
characters. passwd will reject any password which is
not suitably complex.
Hints for
user passwords
The security of a password depends upon the strength of the
encryption algorithm and the size of the key space. The
legacy UNIX System encryption method is based on the
NBS DES algorithm. More recent methods are now recommended
(see ENCRYPT_METHOD). The size of the key space
depends upon the randomness of the password which is
selected.
Compromises in
password security normally result from careless password
selection or handling. For this reason, you should not
select a password which appears in a dictionary or which
must be written down. The password should also not be a
proper name, your license number, birth date, or street
address. Any of these may be used as guesses to violate
system security.
You can find
advices on how to choose a strong password on
http://en.wikipedia.org/wiki/Password_strength
options
The options
which apply to the passwd command are:
-a,
--all
This option can be used only
with -S and causes show status for all
users.
-d,
--delete
Delete a user's password (make
it empty). This is a quick way to disable a password for an
account. It will set the named account passwordless.
-e,
--expire
Immediately expire an account's
password. This in effect can force a user to change his/her
password at the user's next login.
-h,
--help
Display help message and
exit.
-i,
--inactive INACTIVE
This option is used to disable
an account after the password has been expired for a number
of days. After a user account has had an expired password
for INACTIVE days, the user may no longer sign on to
the account.
-k,
--keep-tokens
Indicate password change should
be performed only for expired authentication tokens
(passwords). The user wishes to keep their non-expired
tokens as before.
-l,
--lock
Lock the password of the named
account. This option disables a password by changing it to a
value which matches no possible encrypted value (it adds a
´!´ at the beginning of the password).
Note that this
does not disable the account. The user may still be able to
login using another authentication token (e.g. an SSH key).
To disable the account, administrators should use usermod
--expiredate 1 (this set the account's
expire date to Jan 2, 1970).
Users with a
locked password are not allowed to change their
password.
-n,
--mindays MIN_DAYS
Set the minimum number of days
between password changes to MIN_DAYS. A value of zero
for this field indicates that the user may change his/her
password at any time.
-q,
--quiet
Quiet mode.
-r,
--repository REPOSITORY
change password in
REPOSITORY repository
-R,
--root CHROOT_DIR
Apply changes in the
CHROOT_DIR directory and use the configuration files
from the CHROOT_DIR directory.
-S,
--status
Display account status
information. The status information consists of 7 fields.
The first field is the user's login name. The second field
indicates if the user account has a locked password (L), has
no password (NP), or has a usable password (P). The third
field gives the date of the last password change. The next
four fields are the minimum age, maximum age, warning
period, and inactivity period for the password. These ages
are expressed in days.
-u,
--unlock
Unlock the password of the
named account. This option re-enables a password by
changing the password back to its previous value (to the
value before using the -l option).
-w,
--warndays WARN_DAYS
Set the number of days of
warning before a password change is required. The
WARN_DAYS option is the number of days prior to the
password expiring that a user will be warned that his/her
password is about to expire.
-x,
--maxdays MAX_DAYS
Set the maximum number of days
a password remains valid. After MAX_DAYS, the
password is required to be changed.
caveats
Password complexity checking may vary from site to site. The user
is urged to select a password as complex as he or she feels
comfortable with.
Users may not be able to change their password on a system if NIS
is enabled and they are not logged into the NIS server.
passwd uses PAM to authenticate users and to change their
passwords.
exit values
The passwd command exits with the following values:
0
success
1
permission denied
2
invalid combination of options
3
unexpected failure, nothing done
4
unexpected failure, passwd file missing
5
passwd file busy, try again
6
invalid argument to option
files
/etc/passwd
User account information.
/etc/shadow
Secure user account information.
/etc/pam.d/passwd
PAM configuration for passwd.
see also
chpasswd ,
passwd, shadow, usermod .