All available options while creating a user or a group can be modified. The usermod utility has the following main options:
Table 3.3. usermod options
-d | the user's directory |
-g | the user's initial GID |
-l | the user's login name |
-u | the user's UID |
-s | the default shell |
Notice these options are the same as for useradd.
Likewise, you can change details about a group with the groupmod utility. There are mainly two options:
A user's account can be locked by prefixing an exclamation mark to the users password. This can also be done with the following command line tools:
| Lock | Unlock |
|---|---|
| passwd -l | passwd -u |
| usermod -L | usermod -U |
When using shadow passwords, replace the
x with a *
A less useful option is to remove the password entirely with
passwd -d.
Finally, one can also assign /bin/false to the
user's default shell in /etc/passwd.
By default a users password is valid for 99999 days, that is 273,9 years
(default PASS_MAX_DAYS).
The user is warned for 7 days that his password will expire
(default PASS_WARN_AGE) with the following message as he
logs in:
Warning: your password will expire in 6 days
There is another password aging policy number that is called
PASS_MIN_DAYS.
This is the minimum number of days before a user can change his password;
it is set to zero by default.
The chage tool allows an administrator to change all these options.
chage [ -l ] [ -m min_days ] [ -M max_days ] [ -W warn ] [ -I inactive ] [ -E expire ] [ -d last_day ] user
The first option -l lists the current policy values
for a user.
We will only discuss the -E option.
This locks an account at a given date.
The date is either in UNIX days or in YYYY/MM/DD format.
Notice that all these values are stored in the
/etc/shadow file and can be edited directly.