最後更新: 2015-05-15






-u, --unlock                  # unlock the password of the named account

-l, --lock                      # lock the password of the named account

-i, --inactive INACTIVE  # set password inactive after expiration to INACTIVE

-e, --expire                  # force expire the password for the named account

-S, --status

--stdin             # passwd should read the new password (now raw format) from stdin, which can be a pipe.

LoginName      L | NP | P     last_password_change    mini_age    max_ag    warning_period     inactivity_period

(L) user account is locked

(NP) has no password

(P) has a usable password


passwd -S

root P 05/15/2015 0 99999 7 -1


Batch change password



echo "Username:Password" | chpasswd

# 會讀 /etc/login.defs 知用什麼方式加密 password


 * 勿與 chgpasswd 攪亂


vipw, vigr


-s    # will edit the shadow versions of those files


shadow db format


Password, 13 character encrypted.

A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and

a "*'' entry (eg. :*:) indicates the account has been disabled.

linux shadow exclamation mark

'!' and '!!' mean essentially the same thing, but different tools use one or the other, passwd -l for instance, uses a pair of exclamation points. usermod -L on the other hand only uses one.

If it's an invalid hash (which all of '*', '!', and '!!' ) it effectively locks the account and prevents logins to that account.



Often this is furthered by setting the account's shell to something like /bin/false or /sbin/nologin in the /etc/passwd file



nologin - politely refuse a login (displays a message that an account is not available and exits non-zero)

false - Exit with a status code indicating failure ( $?=1 )

password format:


ID  | Method
1   | MD5
2a  | Blowfish (not in mainline glibc; added in some
    | Linux distributions)
5   | SHA-256 (since glibc 2.7)
6   | SHA-512 (since glibc 2.7)

舊 Format: CRYPT(3)

13 character encrypted [a-zA-Z0-9./]

13 character[a-zA-Z0-9./] DES(Data Encryption Standard ) algorithm encrypted

salt: the first two characters represent the salt itself (4096 different ways.)

key: lowest 7 bits of each of the first eight characters of the key
     (the key space consists of 2**56 equal 7.2e16 possible values.)

# radom salt

openssl passwd -crypt myPassword

openssl passwd -crypt -salt XR SuprScrt




verifies the integrity of the users and authentication information.

verify that each entry has:

    ‧ the correct number of fields
    ‧ a unique and valid user name
    ‧ a valid user and group identifier
    ‧ a valid primary group
    ‧ a valid home directory
    ‧ a valid login shell

    ‧ every passwd entry has a matching shadow entry, and every shadow entry has a matching passwd entry
    ‧ passwords are specified in the shadowed file
    ‧ shadow entries have the correct number of fields
    ‧ shadow entries are unique in shadow
    ‧ the last password changes are not in the future


If the entry has the wrong number of fields, the user will be prompted to delete the entire line
An entry with a duplicated user name is prompted for deletion
All other errors are warning and the user is encouraged to run the usermod   

-r    # Execute the pwck command in read-only mode.

-s    # Sort entries in /etc/passwd and /etc/shadow by UID.




-a -G

-M The user’s home directory will not be created, even if the system wide settings from /etc/login.defs is to create home dirs.




passwd: Module is unknown

ldd `which passwd`

/usr/lib/ => /lib/


ldconfig: /usr/lib/ is not an ELF file - it has the wrong magic bytes at the start.

rpm -qR passwd