Linux with Operating System Concepts

User Accounts
◾
367
the 
got
in forgotten and the 
ment
in government, giving comgotment. A script could be 
written to produce such a password.
If you use any of the above approaches to generate initial passwords, then you will have 
strong passwords. However, users will change their passwords (below, we discuss mecha-
nisms to ensure that they change their passwords frequently). How can we ensure that they 
change their passwords to strong passwords? We will want to ensure three things. First, 
that the new passwords are strong. Second, that the new passwords are not old passwords. 
And third, that the new passwords do not have patterns of repeated characters from old 
passwords. For instance, if the user’s current password is a1b2c3d4, we need to prevent the 
user from using a similar password such as a1b2c3d5 or z1b2c3d4.
9.4.2 Managing Passwords
Password management requires that passwords are modified in a timely fashion. For this 
duty, we turn to two standard Linux programs: 
chage
and 
passwd
. The chage pro-
gram allows the system administrator to change user password expiration dates of a user. 
Through chage, the system administrator can force users to change passwords by specific 
dates or be locked out of their accounts. The format is of the instruction is
chage [options] username
We specify many of these options with a day or date. This value must be either the num-
ber of days that have elapsed since January 1, 1970 (known as the 
epoch
), or the actual date 
using the format YYYY-MM-DD as in 2013-05-31 for May 31, 2013.
The chage program modifies entries in /etc/shadow because the shadow file stores not 
only encrypted passwords but also password expiration information. The format of the 
shadow file for each entry is shown below. The letters in parentheses are the options in 
chage that allow you to change those entries.
• Username
• Encrypted password
• Days since January 1, 1970 that the password was last changed (-d)
• Days before the password may change again (-m)
• Days before the password must be changed (-M)
• Days before warning is issued (-W)
• Days after the password expires that the account is disabled (-I)
• Days since January 1, 1970 that the account will become disabled (-E)
Two entries from the /etc/shadow file are shown below (with the encrypted passwords 
omitted and replaced with …). For zappaf and foxr, they are allowed to change passwords 

368
◾
Linux with Operating System Concepts
in 1 day and are required to change them within 35 and 28 days, respectively, with warn-
ings issued in 25 and 21 days, respectively. If they fail to change their passwords, their 
accounts become inactive within 20 and 10 days, respectively.
zappaf:...:15558:1:35:25:20:365:
foxr:...:15558:1:28:21:10::
The user zappaf is set to have his account expire in 365 days while foxr has no expiration 
date set. For foxr’s entry, the :: at the end indicates that this last field (disable date) is not set. 
Finally, there could be a value at the very end of the line (after the last colon) but this field 
while currently reserved is not used.
The chage command has eight options, one is -h to obtain help. The other seven are 
described in Table 9.4. If no options are provided to chage, then chage operates in an inter-
active mode, prompting the user for each field.
The passwd program can also modify some of these entries. Many of the same options 
in chage are available in passwd, although they are specified differently. Table 9.5 illustrates 
the passwd options (refer to Table 9.4 as needed).
9.4.3 Generating Passwords in Our Script
You might have noticed that the User Manager GUI required that we specify an initial 
password for our users whereas useradd did not. We can enhance our previous script to 
create user accounts by also generating passwords. We will call upon apg to generate a 
password and then use passwd to alter the user’s password from initially having none to 
TABLE 9.4 
Common chage Options

Download 5,65 Mb.

Do'stlaringiz bilan baham: