Linux Commands Examples

A great documentation place for Linux commands

passwd

change user password


see also : chpasswd - usermod

Synopsis

passwd [options] [LOGIN]


add an example, a script, a trick and tips

: email address (won't be displayed)
: name

Step 2

Thanks for this example ! - It will be moderated and published shortly.

Feel free to post other examples
Oops ! There is a tiny cockup. A damn 404 cockup. Please contact the loosy team who maintains and develops this wonderful site by clicking in the mighty feedback button on the side of the page. Say what happened. Thanks!

examples

5
source

Trying to change a Ubuntu user's password, authentication token manipulation error

Check the permissions on your /etc/shadow file. They must be set to 000 or you cannot edit user password data

4
source

Linux (redhat) how to change password to previous password

Either enter the password as root, or modify the PAM configuration to relax the password requirements. Either way, this is something that only root can do.

3
root $  useradd rohit

root $  passwd rohit

new password  = 123456

password set...



su - rohit

rohit $ passwd

enter unix password = 654321

authentication token manipulation error ------
example added by rohit
1
source

Prevent linux user from changing their password in ssh

Do chmod go-rx /usr/bin/passwd Normal users can then not run passwd. If you want some users to be able to, you can put them in a special group perhaps.

0
source
            
login login.gdb
passwd passwd.gdb
0
source
            
admin:<crypted passwd>
0
source

Does the root account always have UID/GID 0?

There are actually two parts to your question.

Does the superuser account always have uid/gid 0/0 on Linux?

Yes. As is pointed out by Rich Homolka in a comment, there's code in the kernel which explicitly checks for uid 0 when needing to check for the root user, which means that root always has at least uid 0.

Is the name of the user account with uid 0 always root?

No. root is just a name, listed in /etc/passwd or some other authentication store. You could just as well call the account admin, and the OS itself won't care, but some applications might not quite like it because they expect there to exist a privileged account named root. Calling the uid 0 account on a *nix root is a very strongly held convention, but it isn't required by the system.

It's also worth noting that, as pointed out by Simon Richter, on BSDs there often exists a second uid 0 account, by convention named toor (which is "root" spelled backwards). For example, FreeBSD uses it to provide a root user with a customized shell setting, leaving the root user with a default shell which is guaranteed to exist on the system's root partition (useful for recovery purposes).

0
source

Cannot lock /etc/passwd; try again later

That's because you don't have permissions for those operations

  • You can't read /etc/shadow
  • You can't directly modify /etc/passwd

You can change both files through specialized commands (e.g you can change your password).

0
source

Reset user passwd when you don't know it

I have not done this in a long time so I might be wrong. You can reset the password by rebooting into single-user mode.

Here are some links:

http://www.linuxtopia.org/online_books/centos_linux_guides/centos_linux_step_by_step_guide/s1-q-and-a-root-passwd.html

http://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-rescuemode-boot.html

0
source

How to restore the /etc/passwd file?

Maybe this: When the bootloader shows up, add

init=/bin/bash

to the kernel parameters. Instead of booting normally (with the init process spawning all the other services including login), you should end up in single-user mode with a root shell (no password is asked) and be able to restore the passwd file. On some distributions you may need to manually remount the root partition in read/write mode before moving the file:

mount -o remount,rw /dev/sda123

(I don't want to test your issue and see if this solution works :)

0
source

how to add a SMB (samba) password for a user in Debian, when there is no smbpasswd binary?

Looks like it's in the samba-common-bin package: package page, filelist

Appears this was spun out of samba-common with version 2:3.4.0~pre2-1 of the samba source package (changelog):

samba (2:3.4.0~pre2-1) experimental; urgency=low

[ Jelmer Vernooij ]
* Split binaries out of samba-common into samba-common-bin.
Closes: #524661

0
source

Renamed root in /etc/passwd and now sudo does not work

Try :

sudo -u new_wrong_root_user

If you can't, reboot on a live-cd, then in terminal :

mkdir target
mount /dev/sda1 target # sda1 if / is the first partition of the first drive
vim target/etc/passwd
0
source

passwd/shadow or group/gshadow mismatch?

Why would you use Excel?

cut -d: -f1 /etc/passwd | sort > p.out
sudo cut -d: -f1 /etc/shadow | sort > s.out
diff p.out s.out
rm p.out s.out

Or in Bash:

diff <(cut -d: -f1 /etc/passwd | sort) <(sudo cut -d: -f1 /etc/shadow | sort)

and you can do the same kind of thing for /etc/group and /etc/gshadow.

You need to run GUI System>Administration>Users and Groups with elevated permissions. Is it asking you for a password?

0
source

how to share Linux user passwords and Samba passwords

Use PAM's support module for /etc/passwd.


Update:

There is a fundamental reason why you cannot unify these authentication mechanisms in any simple way.

  • Unix and Linux /etc/passwd authentication requires that the user's password be presented to the server. This can be within an encrypted channel (as in SSH password authentication when not using private-key authentication).
  • NTLM and MS-Kerberos authentication don't transmit passwords they transmit a hash of a password and the authenticating server takes it's copy of the user's password, constructs a hash using the same algorithm and compares the hash result with the hash presented by the client. Since /etc/passwd doesn't store passwords and uses a different hashing algorithm, /etc/passwd has insufficient information for authenticating NTLM/Kerberos clients.
  • Really old SMB authentication protocols pass the password (in plaintext, i.e. unprotected) and a SMB server can therefore compute a /etc/passwd type hash of this and compare it to the hash stored in /etc/passwd.

From the above it follows that you need a separate file to store passwords (smbpasswd) or a domain controller if you want to avoid plain text passwords transiting your LAN.

0
source

How can I automatically pass the password to 'su'?

Your exploit could also write to the groups file and make the current user part of the 'wheel' group (or whatever group can run sudo commands w/o a password). Then you'll be able to sudo su root (or any other user) w/o a password.

Running visudo should give you some direction on the setup of the 'wheel' group on your machine.

To clarify: once a user becomes part of the wheel group, they can run sudo commands without needing a password.

0
source

passwd pauses after bad password has been entered

Yes, the delay is a protection against brute force, and is around 3 seconds.

The reason why it doesn't appear in the passwd man, is because it is controlled by the authentication backend - usually pam.

man pam_unix

Shows you can set a nodelay to eliminate the delay. You can also set applications specific delays in pam_faildelay

man pam_faildelay

These settings are all managed in

/etc/pam.d/*
0
source

Use Qemu & chroot to reset password on mounted external disk

This is probably a useful starting point, because it includes instructions for dealing with mirrored drives: http://forums.seagate.com/t5/BlackArmor-NAS-Network-Storage/SSH-root-access-for-BlackArmor-NAS/td-p/108264

A quick and dirty solution if the NAS uses a standard /etc/passwd and /etc/shadow files (this depends on its /etc/nsswitch.conf as well as its pam configuration in /etc/pam.conf and /etc/pam.d/*), is to simply delete the root password there: assuming you've mounted the NAS root partition as /mnt, then edit /mnt/etc/shadow to clear the password field (change a line starting root:<hashed_password>:... to root::....

Remember that you absolutely must log into the NAS, become root (if you get a password prompt, just hit return) and set a new password before reattaching it to a shared network (let alone the internet), because root has an empty password!

description

The passwd command changes passwords for user accounts. A normal user may only change the password for his/her own account, while the superuser may change the password for any account. passwd also changes the account or associated password validity period.

Password Changes
The user is first prompted for his/her old password, if one is present. This password is then encrypted and compared against the stored password. The user has only one chance to enter the correct password. The superuser is permitted to bypass this step so that forgotten passwords may be changed.

After the password has been entered, password aging information is checked to see if the user is permitted to change the password at this time. If not, passwd refuses to change the password and exits.

The user is then prompted twice for a replacement password. The second entry is compared against the first and both are required to match in order for the password to be changed.

Then, the password is tested for complexity. As a general guideline, passwords should consist of 6 to 8 characters including one or more characters from each of the following sets:

• lower case alphabetics

• digits 0 thru 9

• punctuation marks

Care must be taken not to include the system default erase or kill characters. passwd will reject any password which is not suitably complex.

Hints for user passwords
The security of a password depends upon the strength of the encryption algorithm and the size of the key space. The legacy UNIX System encryption method is based on the NBS DES algorithm. More recent methods are now recommended (see ENCRYPT_METHOD). The size of the key space depends upon the randomness of the password which is selected.

Compromises in password security normally result from careless password selection or handling. For this reason, you should not select a password which appears in a dictionary or which must be written down. The password should also not be a proper name, your license number, birth date, or street address. Any of these may be used as guesses to violate system security.

You can find advices on how to choose a strong password on http://en.wikipedia.org/wiki/Password_strength

options

The options which apply to the passwd command are:

-a, --all

This option can be used only with -S and causes show status for all users.

-d, --delete

Delete a user's password (make it empty). This is a quick way to disable a password for an account. It will set the named account passwordless.

-e, --expire

Immediately expire an account's password. This in effect can force a user to change his/her password at the user's next login.

-h, --help

Display help message and exit.

-i, --inactive INACTIVE

This option is used to disable an account after the password has been expired for a number of days. After a user account has had an expired password for INACTIVE days, the user may no longer sign on to the account.

-k, --keep-tokens

Indicate password change should be performed only for expired authentication tokens (passwords). The user wishes to keep their non-expired tokens as before.

-l, --lock

Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password).

Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).

Users with a locked password are not allowed to change their password.

-n, --mindays MIN_DAYS

Set the minimum number of days between password changes to MIN_DAYS. A value of zero for this field indicates that the user may change his/her password at any time.

-q, --quiet

Quiet mode.

-r, --repository REPOSITORY

change password in REPOSITORY repository

-R, --root CHROOT_DIR

Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.

-S, --status

Display account status information. The status information consists of 7 fields. The first field is the user's login name. The second field indicates if the user account has a locked password (L), has no password (NP), or has a usable password (P). The third field gives the date of the last password change. The next four fields are the minimum age, maximum age, warning period, and inactivity period for the password. These ages are expressed in days.

-u, --unlock

Unlock the password of the named account. This option re-enables a password by changing the password back to its previous value (to the value before using the -l option).

-w, --warndays WARN_DAYS

Set the number of days of warning before a password change is required. The WARN_DAYS option is the number of days prior to the password expiring that a user will be warned that his/her password is about to expire.

-x, --maxdays MAX_DAYS

Set the maximum number of days a password remains valid. After MAX_DAYS, the password is required to be changed.

caveats

Password complexity checking may vary from site to site. The user is urged to select a password as complex as he or she feels comfortable with.

Users may not be able to change their password on a system if NIS is enabled and they are not logged into the NIS server.

passwd uses PAM to authenticate users and to change their passwords.

exit values

The passwd command exits with the following values:

0

success

1

permission denied

2

invalid combination of options

3

unexpected failure, nothing done

4

unexpected failure, passwd file missing

5

passwd file busy, try again

6

invalid argument to option

files

/etc/passwd

User account information.

/etc/shadow

Secure user account information.

/etc/pam.d/passwd

PAM configuration for passwd.


see also

chpasswd , passwd, shadow, usermod .

How can this site be more helpful to YOU ?


give  feedback