The `-d` flag with the Linux passwd command deletes a user’s password, allowing passwordless login. If you’ve ever wondered what flag can be used in linux with the passwd command to lock, expire, or remove a password, you are in the right place. This article covers all the essential flags, their use cases, and real-world examples.
Passwords are the backbone of user security on Linux. The passwd command is your go-to tool for managing them. But it does more than just change a password. With the right flags, you can lock accounts, force password changes, or even delete passwords entirely.
Let’s break down each flag step by step. You’ll learn exactly how to use them, when to use them, and what happens when you do.
What Flag Can Be Used In Linux With The Passwd Command
The short answer is that many flags exist, but the most common ones include `-d`, `-l`, `-u`, `-e`, `-x`, `-n`, `-w`, and `-i`. Each flag serves a specific purpose. Below, we cover all of them in detail.
The -D Flag: Delete A User’s Password
The `-d` flag deletes a user’s password. After using it, the user can log in without a password. This is useful for service accounts or temporary access.
Example: sudo passwd -d username
Be careful. Deleting a password leaves the account wide open. Only use this for non-interactive accounts or in test environments.
The -L Flag: Lock A User Account
The `-l` flag locks a user’s password. It prepends an exclamation mark to the encrypted password in /etc/shadow. This prevents login using password authentication.
Example: sudo passwd -l username
Locked accounts can still log in via SSH keys or other methods. To fully disable an account, combine this with other tools like usermod.
The -U Flag: Unlock A User Account
The `-u` flag reverses the lock. It removes the exclamation mark from the password hash. The user can then log in normally again.
Example: sudo passwd -u username
This is handy when you temporarily locked an account for maintenance and want to restore access.
The -E Flag: Expire A User’s Password
The `-e` flag forces a user to change their password at next login. It sets the password’s last change date to epoch (January 1, 1970).
Example: sudo passwd -e username
Use this when you suspect a password has been compromised or as part of a security policy.
The -X Flag: Set Maximum Password Age
The `-x` flag sets the maximum number of days a password remains valid. After that, the user must change it.
Example: sudo passwd -x 90 username
This enforces password rotation. Common values are 30, 60, or 90 days.
The -N Flag: Set Minimum Password Age
The `-n` flag sets the minimum number of days before a password can be changed again. This prevents users from cycling through passwords too quickly.
Example: sudo passwd -n 7 username
Combine with `-x` for a complete password policy.
The -W Flag: Set Warning Period
The `-w` flag sets the number of days before password expiration that the user receives a warning.
Example: sudo passwd -w 7 username
Default is often 7 days. Users see a warning message when they log in.
The -I Flag: Set Inactivity Period
The `-i` flag sets the number of days after password expiration before the account is locked. This is the grace period.
Example: sudo passwd -i 30 username
After 30 days of inactivity (expired password), the account locks. The user must contact an admin to regain access.
The -S Flag: Show Password Status
The `-s` flag displays the current password status for a user. It shows whether the password is locked, when it was last changed, and aging information.
Example: sudo passwd -S username
Output looks like: username P 03/15/2024 0 90 7 30. The fields are: username, status (P for password, L for locked), last change date, min days, max days, warning days, inactivity days.
The -A Flag: Set Account Expiration
The `-a` flag sets the account expiration date. After this date, the user cannot log in.
Example: sudo passwd -a 2025-12-31 username
Use this for temporary employees or contractors.
Common Use Cases For Passwd Flags
- Lock a user account after multiple failed login attempts:
sudo passwd -l username - Force a password change on first login:
sudo passwd -e username - Set password to never expire:
sudo passwd -x -1 username - Delete password for a service account:
sudo passwd -d username - Check if a user’s password is locked:
sudo passwd -S username
How To Combine Multiple Flags
You can use multiple flags in one command. For example, to set both max age and warning period:
sudo passwd -x 90 -w 7 username
Order doesn’t matter. Just list all flags before the username.
Be careful when combining `-d` with other flags. Deleting a password overrides other settings.
Security Considerations
Using the `-d` flag is risky. Anyone can log in as that user without a password. Always ensure the account is not exposed to the internet.
Locking an account with `-l` is safer for temporary disablement. But remember, SSH keys still work.
Password aging flags help enforce security policies. Set reasonable values. Too short a max age frustrates users. Too long invites brute force attacks.
Always use sudo when modifying other users’ passwords. Regular users can only change their own password (without flags).
Common Mistakes And How To Avoid Them
- Forgetting sudo: Most flags require root privileges. You’ll get a permission error.
- Locking yourself out: If you lock your own account and have no other access, you’re stuck. Use a secondary admin account.
- Setting negative values: Some flags accept -1 for no limit. Others don’t. Check the man page.
- Not checking status first: Use `-S` before making changes to understand the current state.
Real-World Example: Setting Up A Temporary Account
Suppose you need to give a contractor access for 30 days. Here’s a step-by-step:
- Create the user:
sudo useradd -m contractor - Set a temporary password:
sudo passwd contractor - Force password change on first login:
sudo passwd -e contractor - Set max password age to 30 days:
sudo passwd -x 30 contractor - Set warning at 7 days:
sudo passwd -w 7 contractor - Set account expiration:
sudo passwd -a 2025-05-01 contractor
Now the contractor must change their password immediately. Their account expires on May 1, 2025. If they don’t change the password within 30 days, it expires. They get a warning 7 days before.
Using Passwd In Scripts
You can use passwd in shell scripts, but be careful with interactive prompts. Use `–stdin` (not available on all distros) or chpasswd for non-interactive changes.
Example with chpasswd:
echo "username:newpassword" | sudo chpasswd
For flag operations, you can script them directly:
for user in user1 user2 user3; do sudo passwd -x 90 $user; done
Comparing Passwd With Other Tools
The passwd command is user-focused. For more advanced account management, use usermod or chage.
- usermod: Can lock, unlock, change UID, home directory, etc.
- chage: Specializes in password aging. Offers more options than passwd.
Example using chage to set max age: sudo chage -M 90 username
Passwd is simpler for quick tasks. For bulk operations, consider chage or a configuration management tool.
Troubleshooting Common Issues
Issue: “passwd: Authentication token manipulation error”
Solution: You likely don’t have sudo privileges. Use sudo.
Issue: “passwd: user ‘username’ does not exist”
Solution: Check spelling. Use getent passwd to list users.
Issue: “passwd: password expiry information changed” but nothing happened
Solution: Check with sudo passwd -S username. The change may have applied.
Issue: User can’t log in after unlocking
Solution: Check if the account is expired. Use sudo chage -l username.
Best Practices For Password Management
- Never delete passwords for human users. Use locking or expiration instead.
- Enforce password rotation with reasonable intervals.
- Use strong passwords. Consider a password manager.
- Monitor /var/log/auth.log for failed login attempts.
- Combine passwd with PAM modules for advanced policies.
Frequently Asked Questions
Q: What flag can be used in linux with the passwd command to delete a password?
A: The `-d` flag deletes a user’s password. Use with caution.
Q: Can I lock a user account without using passwd?
A: Yes. Use usermod -L username or edit /etc/shadow directly (not recommended).
Q: How do I force a user to change password at next login?
A: Use sudo passwd -e username. The user will be prompted on next login.
Q: What does the -S flag show?
A: It shows the password status: locked/unlocked, last change date, aging parameters.
Q: Is there a flag to set password length?
A: No. Password length is controlled by PAM modules like pam_pwquality, not passwd.
Conclusion
You now know what flag can be used in linux with the passwd command for every common task. From deleting passwords with `-d` to locking accounts with `-l`, each flag serves a specific purpose. Use them wisely to keep your system secure.
Remember to always test flags on a non-production system first. Check the man page (man passwd) for the complete list of options. And never share your root password.
Practice these commands in a safe environment. You’ll become proficient in no time. If you have questions, leave a comment below.