Loading...

VONDS ©

Lab 154: Password Management

Back to Lab Index

Perform a ticket-style password reset for a user account and enforce a concrete aging policy using passwd, then provide proof of the final state using status output suitable for documentation or a change record.

users security core

Scenario

“Satoshi forgot their password. Force a reset and enforce policy.” You must reset the password, force a change at next login, set aging parameters, and verify status so the ticket has proof of compliance.

Operator context

Do evidence-first admin work. Capture the baseline state, apply changes explicitly, then prove the end state using the same tool the system uses for status.

Objective

  • Capture baseline password status for the user with passwd -S.
  • Reset the password using passwd.
  • Apply the ticket policy in one command:
    • Force password change at next login.
    • Minimum days between changes: 7.
    • Maximum days before expiration: 90.
    • Warning period: 14 days.
    • Inactive lock after expiration: 30 days.
  • Prove the final policy state using passwd -S.

Concepts

  • passwd -S provides ticket-friendly evidence: set date and aging fields.
  • Administrative resets are separate from policy enforcement. Reset changes the secret, aging controls when it must change.
  • Forced change at next login is a standard control after resets or compromise response.
  • Aging parameters align to operational policy: minimum change interval, maximum lifetime, warning period, and post-expiry inactivity lock.

Walkthrough

Step 1 : Capture the baseline password status.
Command 
passwd -S satoshi

This is your before-state proof. It documents whether a password is set and shows aging fields in one line, which is useful for tickets and change records. 

# Example output:
satoshi P 05/20/2025 0 99999 7 -1 (Password set, SHA512 crypt.)
Step 2 : Reset the password.
Command 
passwd satoshi

This performs the administrative reset. In real ops, you would set a temporary password via an approved method and then force a change at next login. 

Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Step 3 : Apply the ticket policy in one command.
Command 
passwd -e -n 7 -x 90 -w 14 -i 30 satoshi

This enforces policy immediately. It forces an update at next login and applies minimum, maximum, warning, and inactive lock parameters exactly as specified in the ticket. 

passwd: password expiry information changed.
Step 4 : Prove the final status reflects policy.
Command 
passwd -S satoshi

This is your after-state proof for the ticket. The fields should reflect the new minimum/maximum/warn/inactive values. 

# Example output:
satoshi P 05/20/2025 7 90 14 30 (Password set, SHA512 crypt.)

Common breakpoints

passwd returns “Permission denied”

You are not root or do not have sufficient privileges. Perform the workflow as root or via approved privilege escalation.

Forced change does not appear to take effect

Confirm you targeted the correct account name and re-check status using passwd -S. If policy is managed by centralized tooling, local changes may be overridden.

User cannot change password due to minimum days

Minimum days can block immediate changes after a reset. If your policy requires “change at next login,” ensure the minimum value is compatible with that operational requirement.

Status output fields look different than expected

Output formatting varies by distro and PAM tooling. Use the numeric fields as the primary evidence and keep your policy values explicit in the ticket.

Cleanup checklist

This lab applies real changes to the user’s password and aging policy. If you are using a training account, confirm you have a known password state before ending the session.

Command 
passwd -S satoshi
Success signal

passwd -S shows the enforced values (min 7, max 90, warn 14, inactive 30) and the account is in a known state.

Reference

  • passwd -S <user> : Show password status and aging fields for a user.
  • passwd <user> : Set or reset a user password (interactive).
  • passwd -e <user> : Expire the password to force a change at next login.
  • passwd -n <days> <user> : Set minimum days between password changes.
  • passwd -x <days> <user> : Set maximum days before password expiration.
  • passwd -w <days> <user> : Set warning days before password expiration.
  • passwd -i <days> <user> : Set inactive lock days after password expiration.