Table of Contents
understanding user password authentication in Linux
The user authentication process in Linux typically involves validating the entered credentials against the stored user information in the /etc/passwd and /etc/shadow files.
When a user attempts to log in, they provide a username and password. The system then performs the following steps to authenticate the user:
The system looks up the username in the /etc/passwd file. If the username isn’t found in that file, the system will deny the login request because it doesn’t recognize the username.
If the username is found, the system will then look up the user’s password information in the /etc/shadow file. This file contains the hashed password for each user along with other account information.
The system will check the password field in the /etc/shadow file. If it starts with a ! or *, it means the account is locked, and the system will deny the login request, regardless of whether the correct password was entered.
If the account isn’t locked, the system will then hash the entered password using the same method that was used to hash the stored password. It then compares this with the stored hash.
If the hashed entered password matches the stored hashed password, the user is authenticated and granted access. If the hashes don’t match, the system denies the login request.
Check account status in Linux with passwd command
To check if an account is locked in Linux, you can use the passwd command with the -S option. Here’s how you can do it:
Open a terminal or SSH into the Linux system as a user with sufficient privileges (such as the root user or a user with sudo access).
Run the following command, replacing <username> with the username of the account you want to check:
passwd -S <username>
For example, to check if the account “john” is locked, you would run:
passwd -S john
The output of the command will provide information about the account status. If the account is locked, you will see an “L” or “LK” in the second field of the output. If the account is unlocked, you will see “P” or “PS” in the second field.
“L” or “LK” indicates that the account is locked.
“P” or “PS” indicates that the account is unlocked.
Here’s an example of the output when an account is locked:
john LK 2021-06-01 0 99999 7 -1 (Password locked.)
And here’s an example of the output when an account is unlocked:
john PS 2021-06-01 0 99999 7 -1 (Password set, SHA512 crypt.)
Check account locked or not in Linux with /etc/shadow file
Apart from the methods mentioned earlier, there is another way to check if an account is locked in Linux by examining the /etc/shadow file. The /etc/shadow file stores the password information for user accounts.
The `/etc/shadow` file in Linux contains the hashed password information for the system’s users, among other things. It is the file where the user’s password (in hashed format), password expiry information, and account status are stored.
To check if a user’s account is locked, you can inspect the password field in the `/etc/shadow` file for that user.
Here is a typical entry in the `/etc/shadow` file:
username:$6$KBzX3L6T$VY5ddba27R4KDAY/:18599:0:99999:7:::
The entry is made up of several fields separated by colons:
1. Username
2. Password (hashed)
3. Last password change (days since UNIX epoch)
4. Minimum password age
5. Maximum password age
6. Password warning period
7. Password inactivity period
8. Account expiration date
9. Reserved field
The password field (2nd field) is where you can see if an account is locked. If the password field contains `!` or `*`, the account is locked.
You can use the `grep` command to quickly check a user’s entry. Replace `username` with the name of the user you want to check:
sudo grep "^username:" /etc/shadow
The `^` symbol ensures that lines starting with the username are matched (to avoid matching usernames that contain the target username as a substring).
Please note that you need to have superuser (root) privileges to read the `/etc/shadow` file. That’s why the `sudo` command is used.
Here’s an example of an entry in the `/etc/shadow` file for a **locked** account (for a user named `lockeduser`):
lockeduser:!$6$KBzX3L6T$VY5ddba27R4KDAY/:18599:0:99999:7:::
In this example, you’ll notice a `!` symbol right at the beginning of the password hash. This indicates that the account is locked, and the user won’t be able to log in using password authentication.
And here’s an example for an **unlocked** account (for a user named `unlockeduser`):
unlockeduser:$6$KBzX3L6T$VY5ddba27R4KDAY/:18599:0:99999:7:::
In this case, the password field begins with the hash algorithm ID (`$6$` stands for SHA-512), followed by the salt and the hashed password. There’s no `!` or `*` symbol at the beginning, indicating that this account is unlocked and the user should be able to log in with their password.
Please note that the actual hash and salt values in your `/etc/shadow` file will be different. The ones used in these examples are for illustrative purposes.
how to unlock account in Linux
If the account is locked, you can unlock it using the passwd command with the -u option. For example:
passwd -u <username>
Replace <username> with the actual username of the locked account.
Note: The specific command and options may vary slightly depending on the Linux distribution you are using.
You can also use usermod command with the -L switch to lock the given user account.
Run the usermod command with the -U switch to unlock the given user account.
# usermod --unlock howtouselinux
or
# usermod -U howtouselinux