Problem Statement
Explain password management in Linux including /etc/shadow, password policies, and the chage command. How do you enforce password complexity and expiration?
Explanation
The /etc/shadow file stores encrypted passwords and password aging information, readable only by root. Format: username:encrypted_password:last_change:min:max:warn:inactive:expire:reserved. Last_change is days since epoch of last password change, min is minimum days between changes, max is maximum days before required change, warn is warning days before expiration, inactive is days after expiration before account locks, expire is absolute expiration date.
Manage password aging with chage: chage -l username displays aging information, chage -M 90 username sets maximum 90 days between password changes, chage -m 7 username sets minimum 7 days between changes (prevents immediate password change back), chage -W 14 username warns 14 days before expiration, chage -E 2024-12-31 username sets account expiration date, chage -I 30 username locks account 30 days after password expires.
Enforce password complexity with PAM (Pluggable Authentication Modules) configuration in /etc/pam.d/common-password (Debian/Ubuntu) or /etc/pam.d/system-auth (RHEL/CentOS). Install libpam-pwquality package. Configure with pam_pwquality.so: minlen=12 (minimum length), dcredit=-1 (require digit), ucredit=-1 (require uppercase), ocredit=-1 (require special char), lcredit=-1 (require lowercase), difok=3 (minimum character changes from old password), maxrepeat=2 (max repeated characters).
Password history prevents reusing recent passwords: configure pam_unix.so remember=10 to remember last 10 passwords. Failed login attempts: pam_faillock.so locks accounts after N failed attempts within time window, mitigating brute force. Example: deny=5 unlock_time=900 locks after 5 failures for 15 minutes.
Best practices: enforce minimum complexity (12+ characters, mixed case, numbers, symbols), regular password changes (60-90 days max age), prevent password reuse (remember last 10+), account lockout after failed attempts, user education on password security, consider key-based authentication over passwords for SSH, use password managers for complex passwords, and regular password audits with tools like John the Ripper (authorized testing only).