≡ Menu

passwd command

How to: OpenBSD reset root password

If you forgot your root password, you can simply reset it. The general procedure for resetting password is as follows (if you are a Linux user, see how to reset Linux root password):

a) At boot> prompt force openbsd to boot into a single user mode

b) Next mount file system in read-write mode

c) Run passwd command

d) Sync file system

e) Reboot and login normally.

Procedure to reset root password

At boot> prompt type boot -s to boot into single user mode:
boot> boot -s
Next you will see a message as follows:

Enter pathname of shell or RETURN for sh:

Just hit [Enter] key to load sh shell.
Next mount / and /usr file system in read-write mode:
# mount -uw /
# mount /usr

Finally set or change the password for root user, enter:
# passwd
Press CTRL+D to boot into multiuser mode or just reboot server:
# reboot

Further reading

FreeBSD Reset or Recover Root Password

With FreeBSD version 5.4 and above the booting procedure is slightly changed. The older version of FreeBSD uses the boot -s option at Ok prompt. However, with FreeBSD version FreeBSD 5.4+ you don't have to type any commands. Here is the procedure to boot FreeBSD into a single user mode to reset root password.
[click to continue…]

FreeBSD: Password expiry / aging policy

For security reason you must enable Password expiry policy on FreeBSD box. Linux comes with chage command, which changes the number of days between password changes and the date of the last password change.

FreeBSD pw command

Use pw command to setup password expiry date for existing user account. Syntax is as follows:
pw user mod USERNAME -p DD-MMM-YY

Where,

  • -p DD-MMM-YY: Set the account's password expiration date.

For example, expire user rocky’s password on 31-Mar-2006:
# pw user mod USERNAME -p 31-mar-06
Use pw command to setup password expiry while creating new user account.
pw user add USERNAME -p DATE -e DAYS:
Where,

  • -p DAYS: Set default account expiration period in days
  • -e DAYS: Set the account's expiration date.

For example create a user called didi and Set the default password expiration to 30 days.
# pw user add didi -p 30 -d /home/didi -m
# passwd didi

This is good if you have small number of users. For large installation base (such as University computers) you need to define user login class. With login class you can control the following :

  • Resource limits
  • Accounting limits
  • Authentication limits
  • Default user environment settings.

HowTo: Recovering Linux Grub Boot Loader Password

If you have, a password protected grub boot loader and you forgot both root and grub password, then you can recover grub-boot loader password using the following method/procedure:

* Use Knoppix cd
* Remove the password from Grub configuration file
* Reboot the system
* Change the root password
* Setup new Grub password if required (optional)
[click to continue…]

Linux: Recovering Deleted /etc/shadow Password File

You may delete a file called /etc/shadow. If you try to boot into a single user mode, system will ask for the maintenance root password. Now imagine this, you do not have a backup of /etc/shadow file. How do you fix such problem in a production environment where time is a critical factor? I will explain how to recover a deleted /etc/shadow file in five easy steps.
[click to continue…]

For security, reason it is necessary to disable all account(s) with no password and lock them down. Solaris, Linux and FreeBSD provide account locking (unlocking) facility.

Lock Linux user account with the following command:

passwd -l {user-name}

For unlocking the account use:

passwd  -u {user-name}

-l : This option disables an account by changing the password to a value, which matches no possible encrypted value.

Lock FreeBSD user account with the following command:

pw lock {username}

FreeBSD unlocking the account use:

pw unlock {username}

Lock Solaris UNIX user account with the following command:

passwd -l {username}

Lock HP-UX user account with the following command:

passwd -l {username}

For unlocking the HP-UX account you need to edit /etc/passwd file using text editor (or use SAM):

vi /etc/passwd 

However, how will you find out account without password? Again, with the help of 'passwd -s' (status) command you can find out all passwordless accounts.

Linux display password status

passwd -S {user-name}

Where,
-S : Display account status information. The status information consists of total seven fields. The second field indicates the status of password using following format:

  • L : if the user account is locked (L)
  • NP : Account has no password (NP)
  • P: Account has a usable password (P)
# passwd -S radmin

radmin P 10/08/2005 0 99999 7 -1

Solaris UNIX display password status

passwd -s {user-name}

Where,
-s : Display account status information using following format:

  • PS : Account has a usable password
  • LK : User account is locked
  • NP : Account has no password

FreeBSD
I have already written about small awk one line approach to find out all passwords less accounts.

Automated Scripting Solution
However, in real life you write a script and execute it from cron job. Here is small script for Linux:

#!/bin/sh
USERS="$(cut -d: -f 1 /etc/passwd)"
for u in $USERS
do
passwd -S $u | grep -Ew "NP" >/dev/null
if [ $? -eq 0 ]; then
passwd -l $u
fi
done

FreeBSD script:

#!/bin/bash
USERS="$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}'
/etc/master.passwd | cut -d: -f1)"
for u in $USERS
do
pw lock $u
done

Sun Solaris script:

#!/bin/sh
USERS=`passwd -sa | grep -w NP | awk '{ print $1 }'`
for u in $USERS
do
passwd -l $u
done

You can easily add email alert support to script so that when ever scripts finds passwordless account(s) it will send an email alert. See the complete working example of script here.

Shutdown Linux Server With Shutdown Account

Have you ever wondered why shutdown account exists on Linux server, especially under Red Hat Enterprise Linux distribution? The answer is quite simple - shutdown account can shutdown server. Here is how you can enable the shutdown account:
[click to continue…]