About Password and User Account Security
PAGE TAGS: account security shadow password pwconv command disable
PASSWORD AND USER ACCOUNT SECURITY
The first step to securing user accounts on your system is to use the shadow password file. When you use shadow passwords, passwords are removed from the /etc/passwd file, encrypted, and placed in the /etc/shadow file. By default, shadow passwords are enabled during installation. You can use the following commands to control use of shadow passwords after installation:
•
Enter pwconv at the command line to use shadow passwords (use /etc/shadow instead of /etc/passwd). Enter grpconv at the command line to use the /etc/gshadow file for groups.
•
Enter pwunconv at the command line to stop using shadow passwords (use /etc/passwd instead of /etc/shadow). Enter grpunconv at the command line to stop using the group shadow file.
Another way to protect user accounts is by using complex passwords. Complex passwords:
• Contain a minimum of eight characters
• Must contain a mix of lower case and upper case letters and numbers
• Do not contain recognizable patterns (such as words or the user account name)
Linux automatically enforces complex passwords. However, as the root user you can set a password that does not meet these complexity requirements.
Finally, you can protect user accounts by setting passwords, disabling accounts, and configuring password expiration times. The following table shows the commands to configure user account security.
As you examine the /etc/passwd and /etc/shadow files, be aware of the following special cases:
• An x in the password field of /etc/passwd indicates that shadow passwords are used.
• A ! for the first character in the password field for a user account identifies the account as disabled.
• Any single-character entry in the password field means the account is disabled and no password is set