1 00:00:06,660 --> 00:00:08,550 - All right, for people users, 2 00:00:08,550 --> 00:00:10,740 passwords are pretty important as well. 3 00:00:10,740 --> 00:00:13,109 So what can we manage with these passwords? 4 00:00:13,109 --> 00:00:14,610 Well, first, you should note 5 00:00:14,610 --> 00:00:18,011 that users can change their password using passwd. 6 00:00:18,011 --> 00:00:20,550 If you have administrative privileges, 7 00:00:20,550 --> 00:00:22,560 you can manage passwords in their properties 8 00:00:22,560 --> 00:00:27,560 as well, using passwd and CH-AGE or chage, if you want to. 9 00:00:28,530 --> 00:00:30,120 How does that work? 10 00:00:30,120 --> 00:00:33,630 We'll use chage -l for a list of current settings 11 00:00:33,630 --> 00:00:36,900 so that you can see what currently applies. 12 00:00:36,900 --> 00:00:39,000 You can use chage on a user account 13 00:00:39,000 --> 00:00:41,490 for prompts about all the changeable settings, 14 00:00:41,490 --> 00:00:44,550 and that's pretty convenient if you use chage * Linda, 15 00:00:44,550 --> 00:00:47,880 then chage is going to ask setting by setting 16 00:00:47,880 --> 00:00:50,343 if you want to accept or change. 17 00:00:51,270 --> 00:00:55,173 There's also an option to use passwd -S 18 00:00:55,173 --> 00:01:00,120 to show the current options that are available. 19 00:01:00,120 --> 00:01:02,190 If you want to change passwords, 20 00:01:02,190 --> 00:01:05,760 you can also do that without using an interactive prompt. 21 00:01:05,760 --> 00:01:08,400 A very convenient option is to change passwords 22 00:01:08,400 --> 00:01:10,290 without an interactive prompt. 23 00:01:10,290 --> 00:01:12,780 On Red Hat, you would use echo password 24 00:01:12,780 --> 00:01:15,810 and pipe that to passwd with the option dash dash 25 00:01:15,810 --> 00:01:18,240 standard in. Notice that you need pseudo 26 00:01:18,240 --> 00:01:21,210 in order to run that command, obviously. 27 00:01:21,210 --> 00:01:24,840 On Ubuntu you would use echo username, colon password 28 00:01:24,840 --> 00:01:27,840 and send that to chpasswd 29 00:01:27,840 --> 00:01:31,050 which is also used with pseudo privileges, obviously 30 00:01:31,050 --> 00:01:32,670 and the passwords themselves 31 00:01:32,670 --> 00:01:35,160 they are written to etc shadow. 32 00:01:35,160 --> 00:01:37,510 Let me show you how to work with these options. 33 00:01:40,260 --> 00:01:44,520 So to start with, I'm using pseudo passwd minus S 34 00:01:44,520 --> 00:01:45,870 on a user account. 35 00:01:45,870 --> 00:01:47,790 And here we can see all the different options 36 00:01:47,790 --> 00:01:49,770 that currently apply. 37 00:01:49,770 --> 00:01:52,380 If I want to change these options, I would definitely 38 00:01:52,380 --> 00:01:55,890 use sudo followed by change and the name 39 00:01:55,890 --> 00:01:59,340 of the user account, because you are prompted option 40 00:01:59,340 --> 00:02:02,550 by option, and that makes it easy to understand. 41 00:02:02,550 --> 00:02:07,050 So minimum password age, let's do one day. 42 00:02:07,050 --> 00:02:11,910 Maximum password age, Let's make that 900 43 00:02:11,910 --> 00:02:13,386 last password change 44 00:02:13,386 --> 00:02:15,150 that is always set to here. 45 00:02:15,150 --> 00:02:19,080 And now I'm not going to edit that on this new user account. 46 00:02:19,080 --> 00:02:20,850 Expiration warning, I'm okay. 47 00:02:20,850 --> 00:02:24,227 Password inactive, not needed. Account expiration date? 48 00:02:24,227 --> 00:02:29,227 I want this account to expire on 2022/12/21. 49 00:02:31,950 --> 00:02:33,120 And there we go. 50 00:02:33,120 --> 00:02:36,450 We have just set the, the user properties. 51 00:02:36,450 --> 00:02:38,430 Now, what does this look like? 52 00:02:38,430 --> 00:02:40,410 Well, we can investigate. 53 00:02:40,410 --> 00:02:45,150 sudo grep Linda on etc shadow. 54 00:02:45,150 --> 00:02:49,200 etc shadow is a very secret file where password 55 00:02:49,200 --> 00:02:50,670 properties are stored. 56 00:02:50,670 --> 00:02:52,710 So the first field is the username. 57 00:02:52,710 --> 00:02:53,970 After the username 58 00:02:53,970 --> 00:02:57,150 we have the hash of the encrypted password. 59 00:02:57,150 --> 00:02:58,470 So in order to create an 60 00:02:58,470 --> 00:03:01,230 encrypted password, there's advanced technology. 61 00:03:01,230 --> 00:03:04,500 That includes a salt, which is a random salt 62 00:03:04,500 --> 00:03:07,500 some random data, an encryption algorithm 63 00:03:07,500 --> 00:03:09,480 which is held against the password. 64 00:03:09,480 --> 00:03:12,420 And the result is a one-way encrypted cryptostring 65 00:03:12,420 --> 00:03:13,980 that you can see right here. 66 00:03:13,980 --> 00:03:16,110 And I can tell you no worries about it. 67 00:03:16,110 --> 00:03:18,953 There's no way to calculate your original password 68 00:03:18,953 --> 00:03:21,150 from the crypto string. 69 00:03:21,150 --> 00:03:23,280 And then we can see the password settings. 70 00:03:23,280 --> 00:03:24,760 You know what? 71 00:03:24,760 --> 00:03:27,960 The 19059 is that's the number 72 00:03:27,960 --> 00:03:31,800 of days since January 1st, 1970 73 00:03:31,800 --> 00:03:33,873 that this password has been changed. 74 00:03:34,710 --> 00:03:36,090 It's kind of funny to know 75 00:03:36,090 --> 00:03:39,510 but Linux is using January 1st, 1970 76 00:03:39,510 --> 00:03:41,490 as the beginning of time. 77 00:03:41,490 --> 00:03:44,310 And Linux time is calculated in seconds 78 00:03:44,310 --> 00:03:45,960 since that day. 79 00:03:45,960 --> 00:03:48,690 Now in passwords, they fortunately 80 00:03:48,690 --> 00:03:51,873 don't write down the seconds, but they make it days. 81 00:03:53,291 --> 00:03:57,791 So 19, 19059 days, since January, 1970. 82 00:03:57,791 --> 00:04:01,140 Here we can see the minimum password age, 83 00:04:01,140 --> 00:04:03,960 the maximum password age, the password warning, 84 00:04:03,960 --> 00:04:06,780 including the expiration date. 85 00:04:06,780 --> 00:04:08,310 Do you want to memorize all this? 86 00:04:08,310 --> 00:04:10,754 Of course you don't. Use man 87 00:04:10,754 --> 00:04:14,370 on shadow and you will get access to shadow. 88 00:04:14,370 --> 00:04:16,890 That is shadow from section three. 89 00:04:16,890 --> 00:04:19,800 Section three is about library calls. 90 00:04:19,800 --> 00:04:22,260 Definitely not interesting. 91 00:04:22,260 --> 00:04:24,210 I want shadow from section five 92 00:04:24,210 --> 00:04:28,770 because section five is, is about configuration files. 93 00:04:28,770 --> 00:04:29,880 And there we go here 94 00:04:29,880 --> 00:04:32,220 we have the documentation of the shadow file 95 00:04:32,220 --> 00:04:36,642 including all of the options and how they are used. 96 00:04:36,642 --> 00:04:39,660 This one is the most interesting reserved field. 97 00:04:39,660 --> 00:04:42,180 The last field is a reserve field. 98 00:04:42,180 --> 00:04:44,790 This field is reserved for future use. 99 00:04:44,790 --> 00:04:47,604 This has been in the man page since 100 00:04:47,604 --> 00:04:52,530 since I started Linux long time ago. 101 00:04:52,530 --> 00:04:54,960 Alright, now how do we change password? 102 00:04:54,960 --> 00:04:59,730 I'm using pseudo passwd for Anna and 103 00:04:59,730 --> 00:05:01,380 oh, we don't have a user, Anna. 104 00:05:01,380 --> 00:05:05,370 Okay, let's do this Linda now, what do we see? 105 00:05:05,370 --> 00:05:06,203 We see 106 00:05:06,203 --> 00:05:08,160 that the pseudo command is prompting me for a password. 107 00:05:08,160 --> 00:05:10,860 So I need to go once and I need to go twice. 108 00:05:10,860 --> 00:05:13,470 That's annoying, especially if you want to do this 109 00:05:13,470 --> 00:05:16,973 in a script for a hundred users, can you see yourself 110 00:05:16,973 --> 00:05:19,860 typing a hundred different passwords? 111 00:05:19,860 --> 00:05:21,330 I don't think so. 112 00:05:21,330 --> 00:05:26,210 So a much better solution is this echo password pipe passwd 113 00:05:28,380 --> 00:05:32,583 minus minus stdin on Linda, 114 00:05:33,780 --> 00:05:36,180 which is telling me that I need to be root. 115 00:05:36,180 --> 00:05:37,050 Yes, of course. 116 00:05:37,050 --> 00:05:38,408 I need to be root. 117 00:05:38,408 --> 00:05:41,850 I need to be root on the passwd part. 118 00:05:41,850 --> 00:05:43,380 So I'm using echo password. 119 00:05:43,380 --> 00:05:45,750 That's just echoing the text password. 120 00:05:45,750 --> 00:05:49,500 The pipe will receive it in the pseudo passwd command 121 00:05:49,500 --> 00:05:52,530 which is using minus minus stdin and the minus 122 00:05:52,530 --> 00:05:56,580 minus stdin means that the stdin is coming from the pipe. 123 00:05:56,580 --> 00:05:57,870 And you see the result. 124 00:05:57,870 --> 00:06:01,530 The result is I that I'm not prompted in any way. 125 00:06:01,530 --> 00:06:02,393 It's just updating the password. 126 00:06:02,393 --> 00:06:07,393 On Ubuntu the way to do this is slightly different. 127 00:06:07,590 --> 00:06:11,580 Let me first check the, the user names I've got on Ubuntu. 128 00:06:11,580 --> 00:06:12,720 We have user Bill. 129 00:06:12,720 --> 00:06:17,720 Okay. So I'm going to use echo bill colon password 130 00:06:18,450 --> 00:06:22,140 and I'm piping that to sudo chpasswd. 131 00:06:25,740 --> 00:06:26,573 And there we go. 132 00:06:26,573 --> 00:06:30,300 Oh, no, the password fills the dictionary check. 133 00:06:30,300 --> 00:06:33,018 It is based on a dictionary word. 134 00:06:33,018 --> 00:06:38,018 Okay. So we need to make that a little bit more complicated. 135 00:06:40,230 --> 00:06:42,600 You know what random password, there we go. 136 00:06:42,600 --> 00:06:45,709 I don't care about the password for Bill anyway. 137 00:06:45,709 --> 00:06:48,870 By the way what you've seen in action right here is 138 00:06:48,870 --> 00:06:52,050 that Ubuntu is more restrictive regarding passwords. 139 00:06:52,050 --> 00:06:55,020 That's because of a system sitting behind it. 140 00:06:55,020 --> 00:06:59,010 Pam is the name plugable authentication models, and that is 141 00:06:59,010 --> 00:07:03,510 what you can use to configure password complexity demands. 142 00:07:03,510 --> 00:07:07,170 That's not something for discourse, but it's useful to 143 00:07:07,170 --> 00:07:10,830 remember the name plugable authentication models. 144 00:07:10,830 --> 00:07:11,663 That's old.