To lock a password, use:
passwd -l username |
Unlocking a Password
To unlock a user's password, you simply change it. You can "change" it back to the exact same password that it was when it was locked. Or you can change it to something new.
For example, to unlock jody's password, you would enter:
station1% passwd jody |
Managing Password Aging
Password aging is a mechanism you can use to force users to periodically change their passwords.
Password aging allows you to:
Force a user to choose a new password the next time the user logs in. (See "Forcing Users to Change Passwords" for details.)
Specify a maximum number of days that a password can be used before it has to be changed. (See "Setting a Password Age Limit" for details.)
Specify a minimum number of days that a password has to be in existence before it can be changed. (See "Setting Minimum Password Life" for details.)
Specify that a warning message be displayed whenever a user logs in a specified number of days before the user's password time limit is reached. (See "Establishing a Warning Period" for details.)
Specify a maximum number of days that an account can be inactive. If that number of days pass without the user logging in to the account, the user's password will be locked. (See "Specifying Maximum Number of Inactive Days" for details.)
Specify an absolute date after which a user's password cannot be used, thus denying the user the ability to log on to the system. (See "Password Privilege Expiration" for details.)
Keep in mind that users who are already logged in when the various maximums or dates are reached are not affected by the above features. They can continue to work as normal.
Password aging limitations and activities are only activated when a user logs in or performs one of the following operations:
login
rlogin
telnet
ftp
These password aging parameters are applied on user-by-user basis. You can have different password aging requirements for different users. (You can also set general default password aging parameters as described in "Managing Password Aging".)
Forcing Users to Change Passwords
There are two ways to force a user to change passwords the next time the user logs in:
Force change keeping password aging rules in effect
passwd -f username |
Force change and turn off password aging rules
passwd -x 0 username |
Setting a Password Age Limit
The -max argument to the passwd command sets an age limit for the current password. In other words, it specifies the number of days that a password remains valid. After that number of days, a new password must be chosen by the user. Once the maximum number of days have passed, the next time the user tries to login with the old password a Your password has been expired for too long message is displayed and the user is forced to choose a new password in order to finish logging in to the system.
The max argument uses the following format:
passwd -x max username |
Where:
username is the login ID of the user
max is one of the following values:
Greater than zero. Any number greater than zero sets that number of days before the password must be changed.
Zero (0). A value of zero (0) forces the user to change passwords the next time the user logs in, and it then turns off password aging.
Minus one (-1). A value of minus one (-1) turns off password aging. In other words, entering passwd -x -1 username cancels any previous password aging applied to that user.
For example, to force the user schweik to change passwords every 45 days, you would type the command:
station1% passwd -x 45 schweik |
Setting Minimum Password Life
The min argument to the passwd command specifies the number of days that must pass before a user can change passwords. If a user tries to change passwords before the minimum number of days has passed, a Sorry less than N days since the last change message is displayed.
The min argument uses the following format:
passwd -x max -n min username |
Where:
username is the login ID of the user
max is the maximum number of days a password is valid as described in the section above
min is the minimum number of days that must pass before the password can be changed.
For example, to force the user eponine to change passwords every 45 days, and prevent him from changing it for the first 7 days you would type the command:
station1% passwd -x 45 -n 7 eponine |
The following rules apply to the min argument:
You do not have to use a min argument or specify a minimum number of days before a password can be changed.
If you do use the min argument, it must always be used in conjunction with the -max argument. In other words, in order to set a minimum value you must also set a maximum value.
If you set min to be greater than max, the user is unable to change passwords at all. For example, the command passwd -x 7 -n 8 prevents the user from changing passwords. If the user tries to change passwords, the You may not change this password message is displayed. Setting the min value greater than the max value has two effects:
The user is unable to change password. In this case, only someone with administer privileges could change the password. For example, in situations where multiple users share a common group password, setting the min value for that password greater than the max value would prevent any individual user from changing the group password.
The password is only valid for the length of time set by the max value, but the user cannot change it because the min value is greater than the max value. Thus, there is no way for the user to prevent the password from becoming invalid at the expiration of the max time period. In effect, this prevents the user from logging in after the max time period unless an administrator intervenes.