change user password
see also :
chpasswd - usermod
add an example, a script, a trick and tips
Trying to change a Ubuntu user's password, authentication token manipulation error
Check the permissions on your /etc/shadow file. They must be set
to 000 or you cannot edit user password data
Linux (redhat) how to change password to previous password
Either enter the password as root, or modify the PAM
configuration to relax the password requirements. Either way,
this is something that only root can do.
root $ useradd rohit
root $ passwd rohit
new password = 123456
su - rohit
rohit $ passwd
enter unix password = 654321
authentication token manipulation error ------
example added by rohit
Prevent linux user from changing their password in ssh
chmod go-rx /usr/bin/passwd Normal users can then
not run passwd. If you want some users to be able to, you can put
them in a special group perhaps.
Does the root account always have UID/GID 0?
There are actually two parts to your question.
Does the superuser account always have uid/gid 0/0 on Linux?
Yes. As is pointed out by Rich Homolka
a comment, there's code in the kernel which explicitly checks
for uid 0 when needing to check for the root user, which means
that root always has at least uid 0.
Is the name of the user account with uid 0 always
root is just a name, listed in
/etc/passwd or some other authentication store. You could just as
well call the account
admin, and the OS itself won't
care, but some applications might not quite like it because they
expect there to exist a privileged account named
root. Calling the uid 0 account on a *nix
root is a very strongly held convention, but it
isn't required by the system.
It's also worth noting that, as pointed out by Simon
Richter, on BSDs there often exists a second uid 0
account, by convention named
toor (which is "root"
spelled backwards). For example, FreeBSD uses it to provide a root user with a
customized shell setting, leaving the root user with a default
shell which is guaranteed to exist on the system's root
partition (useful for recovery purposes).
Cannot lock /etc/passwd; try again later
That's because you don't have permissions for those operations
- You can't read
- You can't directly modify
You can change both files through specialized commands (e.g you
can change your password).
Reset user passwd when you don't know it
How to restore the /etc/passwd file?
Maybe this: When the bootloader shows up, add
to the kernel parameters. Instead of booting normally (with the
init process spawning all the other services including login),
you should end up in single-user mode with a root shell (no
password is asked) and be able to restore the passwd file. On
some distributions you may need to manually remount the root
partition in read/write mode before moving the file:
mount -o remount,rw /dev/sda123
(I don't want to test your issue and see if this solution works
how to add a SMB (samba) password for a user in Debian, when there is no smbpasswd binary?
Looks like it's in the
package page, filelist
Appears this was spun out of
version 2:3.4.0~pre2-1 of the
samba source package
samba (2:3.4.0~pre2-1) experimental; urgency=low
[ Jelmer Vernooij ]
* Split binaries out of samba-common into samba-common-bin.
Renamed root in /etc/passwd and now sudo does not work
sudo -u new_wrong_root_user
If you can't, reboot on a live-cd, then in terminal :
mount /dev/sda1 target # sda1 if / is the first partition of the first drive
passwd/shadow or group/gshadow mismatch?
Why would you use Excel?
cut -d: -f1 /etc/passwd | sort > p.out
sudo cut -d: -f1 /etc/shadow | sort > s.out
diff p.out s.out
rm p.out s.out
Or in Bash:
diff <(cut -d: -f1 /etc/passwd | sort) <(sudo cut -d: -f1 /etc/shadow | sort)
and you can do the same kind of thing for
You need to run
GUI System>Administration>Users and
Groups with elevated permissions. Is it asking you for a
how to share Linux user passwords and Samba passwords
Use PAM's support module for /etc/passwd.
There is a fundamental reason why you cannot unify these
authentication mechanisms in any simple way.
- Unix and Linux /etc/passwd authentication requires that the
user's password be presented to the server. This can be within an
encrypted channel (as in SSH password authentication when not
using private-key authentication).
- NTLM and MS-Kerberos authentication don't transmit passwords
they transmit a hash of a password and the authenticating server
takes it's copy of the user's password, constructs a hash using
the same algorithm and compares the hash result with the hash
presented by the client. Since /etc/passwd doesn't store
passwords and uses a different hashing algorithm, /etc/passwd has
insufficient information for authenticating NTLM/Kerberos
- Really old SMB authentication protocols pass the password (in
plaintext, i.e. unprotected) and a SMB server can therefore
compute a /etc/passwd type hash of this and compare it to the
hash stored in /etc/passwd.
From the above it follows that you need a separate file to store
passwords (smbpasswd) or a domain controller if you want to avoid
plain text passwords transiting your LAN.
How can I automatically pass the password to 'su'?
Your exploit could also write to the groups file and make the
current user part of the 'wheel' group (or whatever group can run
sudo commands w/o a password). Then you'll be able
sudo su root (or any other user) w/o a password.
visudo should give you some direction on the
setup of the 'wheel' group on your machine.
To clarify: once a user becomes part of the wheel group, they can
run sudo commands without needing a password.
passwd pauses after bad password has been entered
Yes, the delay is a protection against brute force, and is around
The reason why it doesn't appear in the passwd man, is because it
is controlled by the authentication backend - usually
Shows you can set a
nodelay to eliminate the delay.
You can also set applications specific delays in
These settings are all managed in
Use Qemu & chroot to reset password on mounted external disk
This is probably a useful starting point, because it includes
instructions for dealing with mirrored drives: http://forums.seagate.com/t5/BlackArmor-NAS-Network-Storage/SSH-root-access-for-BlackArmor-NAS/td-p/108264
A quick and dirty solution if the NAS uses a standard
/etc/shadow files (this
depends on its
/etc/nsswitch.conf as well as its pam
/etc/pam.d/*), is to simply delete the root password
there: assuming you've mounted the NAS root partition as
/mnt, then edit
clear the password field (change a line starting
Remember that you absolutely must log into the
NAS, become root (if you get a password prompt, just hit return)
and set a new password before reattaching it to a shared network
(let alone the internet), because root has an empty password!
passwd command changes passwords for user accounts. A
normal user may only change the password for his/her own
account, while the superuser may change the password for any
account. passwd also changes the account or
associated password validity period.
The user is first prompted for his/her old password, if one
is present. This password is then encrypted and compared
against the stored password. The user has only one chance to
enter the correct password. The superuser is permitted to
bypass this step so that forgotten passwords may be
password has been entered, password aging information is
checked to see if the user is permitted to change the
password at this time. If not, passwd refuses to
change the password and exits.
The user is
then prompted twice for a replacement password. The second
entry is compared against the first and both are required to
match in order for the password to be changed.
password is tested for complexity. As a general guideline,
passwords should consist of 6 to 8 characters including one
or more characters from each of the following sets:
• digits 0
Care must be
taken not to include the system default erase or kill
characters. passwd will reject any password which is
not suitably complex.
The security of a password depends upon the strength of the
encryption algorithm and the size of the key space. The
legacy UNIX System encryption method is based on the
NBS DES algorithm. More recent methods are now recommended
(see ENCRYPT_METHOD). The size of the key space
depends upon the randomness of the password which is
password security normally result from careless password
selection or handling. For this reason, you should not
select a password which appears in a dictionary or which
must be written down. The password should also not be a
proper name, your license number, birth date, or street
address. Any of these may be used as guesses to violate
You can find
advices on how to choose a strong password on
which apply to the passwd command are:
This option can be used only
with -S and causes show status for all
Delete a user's password (make
it empty). This is a quick way to disable a password for an
account. It will set the named account passwordless.
Immediately expire an account's
password. This in effect can force a user to change his/her
password at the user's next login.
Display help message and
This option is used to disable
an account after the password has been expired for a number
of days. After a user account has had an expired password
for INACTIVE days, the user may no longer sign on to
Indicate password change should
be performed only for expired authentication tokens
(passwords). The user wishes to keep their non-expired
tokens as before.
Lock the password of the named
account. This option disables a password by changing it to a
value which matches no possible encrypted value (it adds a
´!´ at the beginning of the password).
Note that this
does not disable the account. The user may still be able to
login using another authentication token (e.g. an SSH key).
To disable the account, administrators should use usermod
--expiredate 1 (this set the account's
expire date to Jan 2, 1970).
Users with a
locked password are not allowed to change their
Set the minimum number of days
between password changes to MIN_DAYS. A value of zero
for this field indicates that the user may change his/her
password at any time.
change password in
Apply changes in the
CHROOT_DIR directory and use the configuration files
from the CHROOT_DIR directory.
Display account status
information. The status information consists of 7 fields.
The first field is the user's login name. The second field
indicates if the user account has a locked password (L), has
no password (NP), or has a usable password (P). The third
field gives the date of the last password change. The next
four fields are the minimum age, maximum age, warning
period, and inactivity period for the password. These ages
are expressed in days.
Unlock the password of the
named account. This option re-enables a password by
changing the password back to its previous value (to the
value before using the -l option).
Set the number of days of
warning before a password change is required. The
WARN_DAYS option is the number of days prior to the
password expiring that a user will be warned that his/her
password is about to expire.
Set the maximum number of days
a password remains valid. After MAX_DAYS, the
password is required to be changed.
Password complexity checking may vary from site to site. The user
is urged to select a password as complex as he or she feels
Users may not be able to change their password on a system if NIS
is enabled and they are not logged into the NIS server.
passwd uses PAM to authenticate users and to change their
The passwd command exits with the following values:
invalid combination of options
unexpected failure, nothing done
unexpected failure, passwd file missing
passwd file busy, try again
invalid argument to option
User account information.
Secure user account information.
PAM configuration for passwd.
passwd, shadow, usermod .