9. Manage Users and Groups
πRed Hat Certified System Administrator (RHCSA β EX200)
1. Understanding Password Management in Linux
In Linux systems:
- User passwords are stored securely in the file: /etc/shadow
- This file is readable only by the root user for security reasons.
Each user has password-related settings such as:
- Password expiration date
- Minimum days before change
- Maximum days before expiry
- Warning period before expiry
2. Changing User Passwords
2.1 Change Your Own Password
A normal user can change their own password using:
passwd
The system will prompt:
- Current password
- New password
- Confirm new password
2.2 Change Another Userβs Password (Root Only)
The root user can change any userβs password:
passwd username
Example:
passwd user1
No need to enter the old password.
2.3 Lock and Unlock User Password
Lock a user account:
passwd -l username
- This disables login by locking the password.
Unlock a user account:
passwd -u username
2.4 Delete a User Password
Removes password (user can log in without password if allowed):
passwd -d username
3. Forcing Password Change
To force a user to change password at next login:
passwd -e username
- The password expires immediately.
- The user must set a new password on next login.
4. Password Aging Policies
Password aging controls how long a password is valid.
This improves security by requiring users to update passwords regularly.
5. Viewing Password Aging Information
Use the chage command:
chage -l username
Example output shows:
- Last password change
- Password expiry date
- Minimum days
- Maximum days
- Warning days
6. Setting Password Aging (chage Command)
The chage command is used to modify password aging settings.
6.1 Set Maximum Password Lifetime
chage -M days username
Example:
chage -M 90 user1
- Password expires after 90 days
6.2 Set Minimum Days Between Changes
chage -m days username
Example:
chage -m 7 user1
- User must wait 7 days before changing password again
6.3 Set Warning Days Before Expiry
chage -W days username
Example:
chage -W 10 user1
- User gets warning 10 days before password expires
6.4 Set Account Expiration Date
chage -E YYYY-MM-DD username
Example:
chage -E 2026-12-31 user1
- Account will be disabled after this date
6.5 Interactive Mode
You can configure all settings interactively:
chage username
The system will prompt for:
- Minimum days
- Maximum days
- Warning period
- Expiration date
7. Important Files for Password Aging
7.1 /etc/login.defs
This file defines default password settings for new users.
Important parameters:
PASS_MAX_DAYS
PASS_MIN_DAYS
PASS_WARN_AGE
Example:
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 10
7.2 /etc/shadow Fields
Each line contains password aging data:
Example format:
username:password:lastchg:min:max:warn:inactive:expire:
Fields:
- Username
- Encrypted password
- Last password change (days since epoch)
- Minimum days
- Maximum days
- Warning days
- Inactive days
- Expiration date
8. Password Policy Enforcement (Basic)
Linux enforces basic password rules such as:
- Minimum length
- Complexity (depending on configuration)
Controlled by:
/etc/security/pwquality.conf
Example settings:
minlen = 8
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
These enforce:
- At least 8 characters
- Digits, uppercase, lowercase, special characters
9. Practical RHCSA Exam Tasks
You may be asked to:
Task 1: Force password change
passwd -e user1
Task 2: Set password expiry to 60 days
chage -M 60 user1
Task 3: Set minimum days to 5
chage -m 5 user1
Task 4: Set warning period to 7 days
chage -W 7 user1
Task 5: Lock a user account
passwd -l user1
Task 6: Check password aging
chage -l user1
10. Common Mistakes to Avoid
- Forgetting to use root privileges when required
- Setting incorrect date format in
chage -E - Confusing account expiration with password expiration
- Not verifying settings after applying changes
11. Real IT Environment Use
In an IT environment:
- Administrators enforce password expiry (e.g., 90 days)
- New employees are forced to change password at first login
- Inactive accounts are locked automatically
- Security policies require strong passwords and regular updates
12. Quick Summary
| Task | Command |
|---|---|
| Change password | passwd |
| Change another user password | passwd username |
| Force password change | passwd -e username |
| Lock account | passwd -l username |
| Unlock account | passwd -u username |
| Set max days | chage -M |
| Set min days | chage -m |
| Set warning | chage -W |
| Set expiry date | chage -E |
| View settings | chage -l |
