chage, usermod, passwd


Both the passwd and usermod command can be used to lock or unlock a user account as well as modifying password ageing information for the account. The chage command however is only able to modify password ageing information, but does have the ability to expire a user account.

chage

Only has the capability to modify a user accounts password expiry information.

[root@server1 ~]# chage -h
Usage: chage [options] LOGIN

Options:
  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximum number of days before password
                                change to MAX_DAYS
  -R, --root CHROOT_DIR         directory to chroot into
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

passwd

The passwd command is used to set or modify a users password in addition to being able to modify user account attributes and lock or unlock a users account.

Locking an account will add an “!” to the beginning of the password field in /etc/shadow the corresponding unlock flag will remove this “!” from the field.

Locking a user account with the passwd command is accomplished with the -l flag:

[root@server1 ~]# passwd -l user10
Locking password for user user10.
passwd: Success

[root@server1 ~]# grep user10 /etc/shadow
user10:!!$6$xpkPmLMWCP5NFp/h$VYfghUJGyeRt64nQFaTLNLctrryrawaMeEBc99SpsjJv0U6rr3.nLyDNfbbegB3DtIylnnB1dH.RqQ6IAJHT7.:18743:0:99999:7:::

Unlocking a user account with passwd command with the -u flag, shown below:

[root@server1 ~]# passwd -u user10
Unlocking password for user user10.
passwd: Success

[root@server1 ~]# grep user10 /etc/shadow
user10:$6$xpkPmLMWCP5NFp/h$VYfghUJGyeRt64nQFaTLNLctrryrawaMeEBc99SpsjJv0U6rr3.nLyDNfbbegB3DtIylnnB1dH.RqQ6IAJHT7.:18743:0:99999:7:::

Further useful information is found in the man files or with the help command:

[root@server1 ~]# passwd --help
Usage: passwd [OPTION...] <accountName>
  -k, --keep-tokens       keep non-expired authentication tokens
  -d, --delete            delete the password for the named account (root only); also removes password lock if any
  -l, --lock              lock the password for the named account (root only)
  -u, --unlock            unlock the password for the named account (root only)
  -e, --expire            expire the password for the named account (root only)
  -f, --force             force operation
  -x, --maximum=DAYS      maximum password lifetime (root only)
  -n, --minimum=DAYS      minimum password lifetime (root only)
  -w, --warning=DAYS      number of days warning users receives before password expiration (root only)
  -i, --inactive=DAYS     number of days after password expiration when an account becomes disabled (root only)
  -S, --status            report password status on the named account (root only)
      --stdin             read new tokens from stdin (root only)

Help options:
  -?, --help              Show this help message
      --usage             Display brief usage message

usermod

The usermod command is for modifying user account attributes but it may also be used to lock or unlock the user account by using the flags -L and -U respectively as seen below:

Locking a user account with the usermod command:

[root@server1 ~]# usermod -L user10
[root@server1 ~]# grep user10 /etc/shadow
user10:!$6$xpkPmLMWCP5NFp/h$VYfghUJGyeRt64nQFaTLNLctrryrawaMeEBc99SpsjJv0U6rr3.nLyDNfbbegB3DtIylnnB1dH.RqQ6IAJHT7.:18743:0:99999:7:::

usermod can unlock an account with the -U flag:

[root@server1 ~]# usermod -U user10
[root@server1 ~]# grep user10 /etc/shadow
user10:$6$xpkPmLMWCP5NFp/h$VYfghUJGyeRt64nQFaTLNLctrryrawaMeEBc99SpsjJv0U6rr3.nLyDNfbbegB3DtIylnnB1dH.RqQ6IAJHT7.:18743:0:99999:7:::

More flags are available for the usermod command and can be discovered via the man pages or with the help command:

[root@server1 ~]# usermod --help
Usage: usermod [options] LOGIN

Options:
  -c, --comment COMMENT         new value of the GECOS field
  -d, --home HOME_DIR           new home directory for the user account
  -e, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -f, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -g, --gid GROUP               force use GROUP as new primary group
  -G, --groups GROUPS           new list of supplementary GROUPS
  -a, --append                  append the user to the supplemental GROUPS
                                mentioned by the -G option without removing
                                the user from other groups
  -h, --help                    display this help message and exit
  -l, --login NEW_LOGIN         new value of the login name
  -L, --lock                    lock the user account
  -m, --move-home               move contents of the home directory to the
                                new location (use only with -d)
  -o, --non-unique              allow using duplicate (non-unique) UID
  -p, --password PASSWORD       use encrypted password for the new password
  -R, --root CHROOT_DIR         directory to chroot into
  -P, --prefix PREFIX_DIR       prefix directory where are located the /etc/* files
  -s, --shell SHELL             new login shell for the user account
  -u, --uid UID                 new UID for the user account
  -U, --unlock                  unlock the user account
  -v, --add-subuids FIRST-LAST  add range of subordinate uids
  -V, --del-subuids FIRST-LAST  remove range of subordinate uids
  -w, --add-subgids FIRST-LAST  add range of subordinate gids
  -W, --del-subgids FIRST-LAST  remove range of subordinate gids
  -Z, --selinux-user SEUSER     new SELinux user mapping for the user account