1. Overview

In Linux, the /etc/passwd file stores essential information about user accounts. It contains details such as the username, user ID, group ID, home directory, and default shell. However, three main files are involved in the user ecosystem:

Although many utilities directly check the files above, they might not always be in sync or have the proper format, especially if edited by hand. Further, some cached session information could prevent us from using the updated data.

In this tutorial, we’ll explore the appropriate checks to run after modifying the password and account files.

2. Using the vipw Command

The vipw command stands for vi password. We use the vipw command to modify either the /etc/passwd file or the /etc/shadow file depending on the option we use with the command. In addition, vipw applies appropriate file locks to prevent unauthorized modifications while editing, ensuring that other users cannot disrupt the file during the editing session.

Let’s check out how to edit the /etc/passwd file:

$ sudo vipw
john:x:1001:1005::/home/john:/bin/bash
You have modified /etc/passwd.

By using our preferred text editor, we can change the password for user john. Moreover, we see from the output that the modifications are now in place.

In case we need to do the same for the /etc/shadow file, we utilize the -s option:

$ sudo vipw -s
john:$6$6eXsqsgr$0lowua3l7FRMYoWDbd3g6DBnbgdsng 3NN:16985:0:999999:7:::

Let’s understand each colon-separated field:

  1. username, which is john in our case
  2. encrypted password
  3. last password change
  4. minimum password age
  5. maximum password age
  6. warning period in days before the password expires

For security reasons, it’s rarely recommended to utilize the vipw -s command.

So, to avoid manual changes, we use the passwd command to update the corresponding files automatically.

3. Understanding the passwd Command

We use the passwd command for managing user accounts, including updating password information.

3.1. Theoretical Explanation

The passwd command plays a role in syncing the changes made to the /etc/passwd file. After modifying the /etc/passwd file directly, executing the passwd command ensures that the changes take effect immediately.

First, let’s clarify and understand the difference between the /etc/passwd file and the /etc/shadow file to avoid confusion. The latter stores user account passwords in an encrypted format. Unlike the /etc/passwd file, which doesn’t store any passwords, the /etc/shadow file keeps encrypted versions of the passwords inaccessible to regular users. This enhances security by preventing unauthorized access to the actual passwords.

3.2. Practical Illustration

In essence, to update the /etc/shadow file, it’s usually best to just run passwd:

$ passwd john
New password:
Retype new password:
passwd: password updated successfully

When typing the passwd command, we can either pass the username as an argument (john in this case) or omit the arguments to change the password of the current user. Afterward, we enter the new password twice for validation. Finally, our password is now updated successfully across all files.

4. Using the update-passwd Command

Mainly available on Debian-based systems, the update-passwd command syncs the file changes to all account and password files:

$ sudo update-passwd

In the above example, we use sudo to temporarily act as a super user with root privileges and avoid permission errors. Here, we sync the updated password in all related files. In essence, the base-passwd package contains update-passwd and manages updates to three files:

  • /etc/passwd
  • /etc/shadow
  • /etc/group

During an update process, the base-passwd package compares each line and field in the existing files with the corresponding entries in the master copies. It checks for any discrepancies, additions, or modifications that may have occurred since the initial installation or last update.

If any differences are detected, the base-passwd package takes the necessary actions to ensure that the system files are synchronized. This may involve updating or replacing specific lines or fields to match the master copies. Thus, the package ensures that the system maintains consistency and follows the recommended standards and configurations.

5. Validating Changes

After making changes, we can use several methods to validate their successful application.

5.1. Using the pwck Command

To validate the changes to password and account files, we can use the pwck command. The purpose of this command is to validate the integrity of user and authentication information. Moreover, pwck ensures that the entries in the /etc/passwd and /etc/shadow files adhere to the correct format and contain valid data:

$ pwck
pwck: no changes

The output shows that there are no errors and both files contain valid data.

Alternatively, if we only want to see output in case of error, we use the -q option:

$ pwck -q
user 'saned': directory '/home/saned' does not exist

In this case, there is a problem with a user’s home directory not existing.

5.2. Using the su Command

Using the su command is a quick and common solution to verify our changes. After changing the password manually from the /etc/passwd file, we’ll try to again log in as user john with the new password:

$ sudo su - john
Password:

By entering the new password, we should be able to log in successfully. If not, then probably something went wrong with the manual editing of the /etc/passwd file. The su command changes the session and reloads the information. Accordingly, we validate that the new password is now active.

6. Conclusion

In this article, we learned the steps needed to check for a successful password-changing operation on a Linux system. We achieved this by using various methods. We started off by looking at the vipw command.

Additionally, we discussed the effectiveness of the passwd command. Moreover, we used the Debian-based update-passwd command and understood how it works with all password and account files.

Finally, we used the pwck and su commands to validate the changes made for a user that has undergone a password change.