By default, all the account password expiration in Linux are disabled. There have two method to enable and disable password expiration, one of method by editing /etc/shadow file. Another method is using chage command.

1. Edit /etc/shadow

Login as root and type the following command

# vi /etc/shadow

Sample outputs

...
lifelinux:$1$UgE5i8uC$mtNxSoPOCl5G5.9mQOQLy.:15092:0:99999:7:::
...

As with the passwd file, each field in the shadow file is also separated with “:” colon characters, and are as follows:
1. Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
2. Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a “*” entry (eg. :*:) indicates the account has been disabled.
3. The number of days (since January 1, 1970) since the password was last changed.
4. The number of days before password may be changed (0 indicates it may be changed at any time)
5. The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)
6. The number of days to warn user of an expiring password (7 for a full week)
7. The number of days after password expires that account is disabled
8. The number of days since January 1, 1970 that an account has been disabled
9. A reserved field for possible future use
Syntax:

{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:

2. Using chage command

Usage: chage [options] user

Options:
  -d, --lastday LAST_DAY        set last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

To list current aging type chage command for particular user account, example lifelinux, enter

# chage -l lifelinux

Sample outputs

Last password change                                    : Apr 28, 2011
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Example: Set password aging for lifelinux, force password change every 60 days (-M 60), and prevent password changes for seven days (-m 7). Login users will receiving warnings 7 days (-W 7) and account will be locked after 7 days (-I 7).

# chage -m 7 -M 60 -W 7 -I 7 lifelinux

To Disable password aging, enter

# chage -m 0 -M 99999 -I -1 lifelinux

Force user to change password at first login, enter

# chage -d 0 lifelinux

The post Setting Up Password Aging In Linux appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

Deny user login by /etc/shadow

Default, Linux systems use /etc/shadow to store the encrypted user passwords. The quickest way to block a user is to alter is password stored in /etc/shadow. Normally an active user account will have one line in /etc/shadow that will look like:

files:$1$x52JQZle$82KTK0hbzozR3BRuwEWLF.:14970:0:99999:7:::

Where the second field is the encrypted password. If we replace the password with “*” or “!” this will make the account unusable, and it will mean that no login is permitted for the user

files:!:14970:0:99999:7:::

Deny user login by passwd command

Use flag -l to lock the specified account and it is available to root only, example deny user1 login

# passwd -l user1

Deny user login by usermod command

The /sbin/nologin command politely refuse a login. It displays a message that an account is not available and exits non-zero. This is prefreed method these days to deny login access to account. You can also change shell to /sbin/nologin, type the following command

# usermod -s /sbin/nologin user1

Verify with these commands:

# cat /etc/passwd | grep user1

Shown as follows

user1:x:607:605::/home/user1:/sbin/nologin

The post How To Deny Or Block User Login In Linux appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.