Loading...

VONDS ©

Lab 15: Manage User Accounts and Password Policies

Lab Index

Provision a new user account and enforce password policy controls using standard Linux account tooling. Validate the outcome by forcing a first-login password change, inspecting aging metadata, and confirming default policy sources.

users security core

Scenario

A new intern has joined your company. You’re responsible for creating the account, setting an initial password, enforcing a first-login password change, applying password expiration policy, and verifying the effective aging configuration.

Operator context

User provisioning is not just “create an account.” You need repeatable guardrails: predictable defaults, controlled access, and proof that policy is actually applied.

Objective

  • Create a new user account named intern.
  • Set an initial password for the account.
  • Force a password change on first login using account aging.
  • Inspect password aging settings for the user.
  • Identify where default account policy values are defined.

What You’ll Practice

  • Account creation with useradd.
  • Password assignment with passwd.
  • Enforcing first-login password rotation with chage -d 0.
  • Auditing aging policy using chage -l.
  • Locating default policy sources via /etc/login.defs.

Walkthrough

Step 1 : Create the user account.
Command 
sudo useradd intern

This creates the account entry so the system can manage the user. On many systems, defaults (like home directory creation) depend on local policy and useradd configuration. 

id intern
# Confirm the account exists and has a UID/GID.
Step 2 : Set the user’s password.
Command 
sudo passwd intern

passwd updates the account’s authentication secret and writes the relevant state to the shadow database. 

Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Step 3 : Force a password change on first login.
Command 
sudo chage -d 0 intern

Setting the “last password change” date to 0 effectively expires the current password, forcing the user to rotate it at next login. This is a common onboarding control. 

# On next login, the user should be prompted to change the password.
Step 4 : Display account aging information.
Command 
chage -l intern

This is your audit view: it shows the aging policy that will determine when passwords expire, warnings are issued, and whether the account has an expiration date. 

Last password change                                    : Jul 18, 2025
Password expires                                        : Aug 17, 2025
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 30
Number of days of warning before password expires       : 7
Step 5 : Identify the default policy file for new accounts.
Command 
/etc/login.defs

/etc/login.defs is a primary reference for default password aging and account settings used by shadow-utils tooling. Knowing where defaults come from matters when you need consistency across many accounts. 

# Example fields you may see in /etc/login.defs:
PASS_MAX_DAYS   30
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

Reference

  • useradd <user> : Creates a new local user account entry.
  • passwd <user> : Sets or updates the user’s password.
  • chage -d 0 <user> : Expires the password immediately so the user must change it at next login.
  • chage -l <user> : Displays password aging and expiration information for a user.
  • /etc/login.defs : Defines default account and password policy values for tools in the shadow-utils stack (UID/GID ranges and password aging defaults).