Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

3.4.3. Updating Users' Authentication

When running the basic useradd username command, the password is automatically set to never expire (see the /etc/shadow file).
If you want to change this, use passwd, the standard utility for administering the /etc/passwd file. The syntax of the passwd command look as follows:
passwd option(s) username
You can, for example, lock the specified account. The locking is performed by rendering the encrypted password into an invalid string by prefixing the encrypted string with an the exclamation mark (!). If you later find a reason to unlock the account, passwd has a reverse operation for locking. Only root can carry out these two operations.
passwd -l username
passwd -u username

Example 3.8. Unlocking a User Password

~]# passwd -l robert
Locking password for user robert.
passwd: Success
~]# passwd -u robert
passwd: Warning: unlocked password would be empty
passwd: Unsafe operation (use -f to force)
At first, the -l option locks robert's account password successfully. However, running the passwd -u command does not unlock the password because by default passwd refuses to create a passwordless account.
If you want a password for an account to expire, run passwd with the -e option. The user will be forced to change the password during the next login attempt:
passwd -e username
As far as the password lifetime is concerned, setting the minimum time between password changes is useful for forcing the user to really change the password. The system administrator can set the minimum (the -n option) and the maximum (the -x option) lifetimes. To inform the user about their password expiration, use the -w option. All these options must be accompanied with the number of days and can be run as root only.

Example 3.9. Adjusting Aging Data for User Passwords

~]# passwd -n 10 -x 60 -w 3 jane
The above command has set the minimum password lifetime to 10 days, the maximum password lifetime to 60, and the number of days jane will begin receiving warnings in advance that her password will expire to 3 day.
Later, when you cannot remember the password setting, make use of the -S option which outputs a short information for you to know the status of the password for a given account:
~]# passwd -S jane
jane LK 2014-07-22 10 60 3 -1 (Password locked.)
You can also set the number of days after a password expires with the useradd command, which disables the account permanently. A value of 0 disables the account as soon as the password has expired, and a value of -1 disables the feature, that is, the user will have to change his password when the password expires. The -f option is used to specify the number of days after a password expires until the account is disabled (but may be unblocked by system administrator):
useradd -f number-of-days username
For more information on the passwd command see the passwd(1) man page.