Tuesday, February 7, 2017

[Quick Tips: Chage]: Password Expiration and Aging

Examples to Manage Linux Password Expiration and Aging Using chage

NAME

chage change user password expiry information

SYNOPSIS

chage [options] [LOGIN]

DESCRIPTION

The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.

OPTIONS

TAG	DESCRIPTION
-d, --lastday LAST_DAY	Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area).
-E, --expiredate EXPIRE_DATE	Set the date or number of days since January 1, 1970 on which the user's account will no longer be accessible. The date may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area). A user whose account is locked must contact the system administrator before being able to use the system again.Passing the number -1 as the EXPIRE_DATE will remove an account expiration date.
-h, --help	Display help message and exit.
-I, --inactive INACTIVE	Set the number of days of inactivity after a password has expired before the account is locked. The INACTIVE option is the number of days of inactivity. A user whose account is locked must contact the system administrator before being able to use the system again. Passing the number -1 as the INACTIVE will remove an account's inactivity.
-l, --list	Show account aging information.
-m, --mindays MIN_DAYS	Set the minimum number of days between password changes to MIN_DAYS. A value of zero for this field indicates that the user may change his/her password at any time.
-M, --maxdays MAX_DAYS	Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current day, the user will be required to change his/her password before being able to use his/her account. This occurrence can be planned for in advance by use of the -W option, which provides the user with advance warning.Passing the number -1 as MAX_DAYS will remove checking a password's validity.
-W, --warndays WARN_DAYS	Set the number of days of warning before a password change is required. The WARN_DAYS option is the number of days prior to the password expiring that a user will be warned his/her password is about to expire.

EXAMPLES

EXAMPLE-1:
Use chage command to list the password aging information of a user

$ chage -l testuser

output:

Last password change : May 01, 2016
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 15

EXAMPLE-2:
Disable password aging for a user

$ chage -I -1 -m 0 -M 99999 -E -1 testuser

-I -1 : This will set the “Password inactive” to never
-m 0 : This will set the minimum number of days between password change to 0
-M 99999 : This will set the maximum number of days between password change to 99999
-E -1 : This will set “Account expires” to never.
This will disable the password expiry of a user if it is already enabled.

EXAMPLE-3:
Enable password expiry date of a user

$ chage -M 20 testuser

Output
Last password change : May 01, 2016
Password expires : May 21, 2017
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 20
Number of days of warning before password expires : 15

EXAMPLE-4:
Set the Account expiry date in the format YYYY-MM-DD

$ chage -E 2017-05-28

output:
Last password change : May 01, 2016
Password expires : May 28, 2017
Password inactive : never
Account expires : May 28, 2012
Minimum number of days between password change : 0
Maximum number of days between password change : 20
Number of days of warning before password expires : 15

EXAMPLE-5:
Set the password expiry warning message

$ chage -W 10 testuser

User will start getting warning about the password expiry which is set to 10 days.

EXAMPLE-6:
Forcing the users to change the password on next logon

$ chage -d 0 testuser

This will reset “Last Password Change” to “Password must be changed”.


In this article let us review how you can use Linux chage command to perform several practical password aging activities including how-to force users to change their password.

On debian, you can install chage by executing the following command:
# apt-get install chage

 
Note: It is very easy to make a typo on this command. Instead of chage you may end up typing it as change. Please remember chage stands for “change age”. i.e chage command abbreviation is similar to chmod, chown etc.,

1. List the password and its related details for an user

As shown below, any user can execute the chage command for himself to identify when his password is about to expire.
Syntax: chage –-list username (or) chage -l username

$ chage --list dhinesh
Last password change                                    : Apr 01, 2009
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

 
If user dhinesh tries to execute the same command for user ramesh, he’ll get the following permission denied message.
$ chage --list ramesh
chage: permission denied

 
Note: However, a root user can execute chage command for any user account.
 
When user dhinesh changes his password on Apr 23rd 2009, it will update the “Last password change” value as shown below.
 
Please refer to our earlier article: Best Practices and Ultimate Guide For Creating Super Strong Password, which will help you to follow the best practices while changing password for your account.
$ date
Thu Apr 23 00:15:20 PDT 2009

$ passwd dhinesh
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

$ chage --list dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

2. Set Password Expiry Date for an user using chage option -M

Root user (system administrators) can set the password expiry date for any user. In the following example, user dhinesh password is set to expire 10 days from the last password change.
 
Please note that option -M will update both “Password expires” and “Maximum number of days between password change” entries as shown below.
Syntax: # chage -M number-of-days username

# chage -M 10 dhinesh

# chage --list dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : May 03, 2009
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10
Number of days of warning before password expires       : 7

3. Password Expiry Warning message during login

By default the number of days of warning before password expires is set to 7. So, in the above example, when the user dhinesh tries to login on Apr 30, 2009 — he’ll get the following message.
$ ssh dhinesh@testingserver
dhinesh@testingserver's password:
Warning: your password will expire in 3 days

4. User Forced to Change Password after Expiry Date

If the password expiry date reaches and user doesn’t change their password, the system will force the user to change the password before the login as shown below.
$ ssh dhinesh@testingserver
dhinesh@testingserver's password:

You are required to change your password immediately (password aged)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for dhinesh
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:

5. Set the Account Expiry Date for an User

You can also use chage command to set the account expiry date as shown below using option -E. The date given below is in “YYYY-MM-DD” format. This will update the “Account expires” value as shown below.
# chage -E "2009-05-31" dhinesh

# chage -l dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : May 03, 2009
Password inactive                                       : never
Account expires                                         : May 31, 2009
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10
Number of days of warning before password expires       : 7

6. Force the user account to be locked after X number of inactivity days

Typically if the password is expired, users are forced to change it during their next login. You can also set an additional condition, where after the password is expired, if the user never tried to login for 10 days, you can automatically lock their account using option -I as shown below. In this example, the “Password inactive” date is set to 10 days from the “Password expires” value.
 
Once an account is locked, only system administrators will be able to unlock it.
# chage -I 10 dhinesh

# chage -l dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : May 03, 2009
Password inactive                                       : May 13, 2009
Account expires                                         : May 31, 2009
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10
Number of days of warning before password expires       : 7

7. How to disable password aging for an user account

To turn off the password expiration for an user account, set the following:

-m 0 will set the minimum number of days between password change to 0
-M 99999 will set the maximum number of days between password change to 99999
-I -1 (number minus one) will set the “Password inactive” to never
-E -1 (number minus one) will set “Account expires” to never.

# chage -m 0 -M 99999 -I -1 -E -1 dhinesh

# chage --list dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Friday, February 3, 2017

Quick Tips: run single command to multiple systems[]: How To Run Single Command On Multiple Remote Systems At Once

How To Run Single Command On Multiple Remote Systems At Once

Today, we are going to see to how to run a single command on multiple remote systems at once in Unix-like operating systems. As you already know, we can access and communicate with remote system using ssh. openSSH allows us to do all sorts of administration tasks in a remote system. One limitation with openSSH is we can’t run the single command on multiple remote systems at once. No problem. Here comes PSSH in help.

PSSH, or Parallel SSH, is a command line suite that helps you to ssh in parallel on a number of hosts. PSSH suite consists of the following commands:

pssh – SSH to multiple remote systems in parallel
pscp – Copy files in parallel to a number of hosts
prsync : Copy files in parallel to a number of hosts
pnuke : Kill processes in parallel on a number of hosts
pslurp : Copy files in parallel from a number of hosts

In this tutorial, we will see how to execute a single command on multiple hosts at once using PSSH.

Run Single Command On Multiple Remote Systems At Once

We can easily install PSSH using PIP, a python package manager.

To install PIP on Arch Linux and its derivatives, run:

sudo pacman -S python-pip

On RHEL, Fedora, CentOS:

sudo yum install epel-release

sudo yum install python-pip

Or,

sudo dnf install epel-release

sudo dnf install python-pip

On Debian, Ubuntu, Linux Mint:

sudo apt-get install python-pip

Once PIP installed, run the following command to install PSSH.

sudo pip install pssh

Usage

Important: In order to use PSSH (for the purpose of this tutorial only), all your remote systems must have a common username with same password. Otherwise, this method won’t help. Say for example, I have already created an user called sk with password ostechnix on all my remote hosts.

Now, let us see how to run a single command on multiple remote hosts using PSSH. Go to your local system where you want to run the command and create a text file called remotehosts.txt. You can name it as you wish.

vi remotehosts.txt

Add IP addresses of your remote hosts with port numbers one by one as exactly shown below.

192.168.1.103:22
192.168.1.104:22

Where, 192,168.1.103 and 192.168.1.104 are the IP addresses of my remote systems. 22 is the ssh port number. You need to mention the correct port number if you changed it already. Also, make sure you can be able to access all remote hosts from your local system via ssh.

Now, let us check the uptime of both remote hosts from our local system. To do so, run:

pssh -h remotehosts.txt -l sk -A -i "uptime"

Here,

remotehosts.txt – Contains the IP addresses of both remote systems.
sk – the username of both remote systems

Enter the password of the user “sk”.

Sample output:

Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 20:51:15 [SUCCESS] 192.168.1.103:22
 20:50:50 up 8 min, 1 user, load average: 0.05, 0.11, 0.10
[2] 20:51:15 [SUCCESS] 192.168.1.104:22
 20:50:52 up 12 min, 1 user, load average: 0.00, 0.07, 0.12

As you see above, we have run the uptime command on two remote hosts and got the result in one go.

What about the kernel version? To check the installed version of both remote hosts, run:

pssh -h remotehosts.txt -l sk -A -i "uname -r"

Sample output:

Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 20:53:09 [SUCCESS] 192.168.1.103:22
3.10.0-327.22.2.el7.x86_64
[2] 20:53:09 [SUCCESS] 192.168.1.104:22
4.4.0-21-generic

Very cool, isn’t? Can we create a directory on both remote hosts at once? Yes, of course! To do so, run the following command:

pssh -h remotehosts.txt -l sk -A -i "mkdir dir1"

Similarly, you can do anything you want to do on multiple remote hosts from your local system using PSSH.

Very very Important: Please be very careful while using PSSH. One bad command will perform simultaneously on multiple hosts and damage all hosts. So, be cautious while using this method in production. I suggest you to test this in a virtual machines. Once you’re familiar with PSSH, you can use it on production if you like to.

[Quick Tips: Prevent Accidental Deletion]: Prevent Files And Folders From Accidental Deletion Or Modification In Linux

Prevent Files And Folders From Accidental Deletion Or Modification In Linux

Data protection is one of the main job of a System administrator. There are numerous free and commercial data protection softwares are available on the market. But, as you might know, there is a simple, yet useful commandline utility called “chattr” (abbreviation of Change Attribute) which can be used to prevent files and folders from accidental deletion in Unix-like distributions. It applies certain attributes to a file or folder in your Linux system. So the users can’t delete or modify the files and folders either accidentally or intentionally, even as root user. Sounds useful, isn’t it?

By default, Chattr is available in most modern Linux operating systems. Let us see some examples.

The default syntax of chattr command is:

chattr [operator] [switch] [filename]

chattr has the following operators.

The operator ‘+’ causes the selected attributes to be added to the
existing attributes of the files;
The operator ‘-‘ causes them to be removed;
The operator ‘=’ causes them to be the only attributes that the files have.

Chattr has different attributes namely – aAcCdDeijsStTu. Each letter applies a particular attributes to a file.

a – append only,
A – no atime updates,
c – compressed,
C – no copy on write,
d – no dump,
D – synchronous directory updates,
e – extent format,
i – immutable,
j – data journalling,
P – project hierarchy,
s – secure deletion,
S – synchronous updates,
t – no tail-merging,
T – top of directory hierarchy,
u – undeletable.

In this tutorial, we are going to discuss the usage of two attributes, namely a, i which are used to prevent the deletion of files and folders.

Prevent files from accidental deletion

I am going to create a file called file.txt in my current directory.

touch file.txt

Now, I am going to apply “i” attribute which makes the file immutable. It means you can’t delete, modify the file, even if you’re the file owner and the root user.

sudo chattr +i file.txt

You can check the file attributes using command:

sudo lsattr file.txt

Sample output:

----i---------e---- file.txt

Now, try to remove the file either as a normal user or with sudo privileges.

rm file.txt

Sample output:

rm: cannot remove 'file.txt': Operation not permitted

Let me try with sudo command:

sudo rm file.txt

Sample output:

rm: cannot remove 'file.txt': Operation not permitted

Let us try to append some contents in the text file.

echo 'Hello World!' >> file.txt

Sample output:

bash: file.txt: Operation not permitted

Try with sudo privilege:

sudo echo 'Hello World!' >> file.txt

Sample output:

bash: file.txt: Operation not permitted

As you noticed in the above outputs, We can’t delete or modify the file even as root user.

To revoke attributes, just use “-i” switch as shown below.

sudo chattr -i file.txt

Now, the immutable attribute has been removed. You can now delete or modify the file.

rm file.txt

Similarly, you can restrict the directories from accidental deletion or modification as described in the next section.

Prevent folders from accidental deletion and modification

Create a directory called dir1 and a file called file.txt inside this directory.

mkdir dir1 && touch dir1/file.txt

Now, make this directory and its contents (file.txt) immutable using command:

sudo chattr -R +i dir1

Where,

-R – will make the dir1 and its contents immutable recursively.
+i – makes the directory immutable.

Now, try to delete the directory either as normal user or using sudo user.

rm -fr dir1

sudo rm -fr dir1

You will get the following output:

rm: cannot remove 'dir1/file.txt': Operation not permitted

Try to append some contents in the file using “echo” command:

See? You can’t modify it either.

To revoke the attributes back, run:

sudo chattr -R -i dir1

Now, you can delete or modify the contents of this directory as usual.

Prevent files and folders from accidental deletion, but allow modification

We know now how to prevent files and folders from accidental deletion and modification. Next, we are going to prevent files and folders from deletion, but allow modification.

To do so, run the following command:

For files:

sudo chattr +a file.txt

For directories:

sudo chattr -R +a dir1

The “+a” option will allow you to modify the file or folder, but you can’t delete it.

Add some contents to the file(s) to check whether it works or not.

echo 'Hello World!' >> file.txt

echo 'Hello World!' >> dir1/file.txt

Check the file contents using cat command:

cat file.txt

cat dir1/file.txt

Sample output:

Hello World!

You will see that you can now be able to append the contents. It means we can modify the files and folders.

Let us try to delete the file or folder now.

rm file.txt

Output:

rm: cannot remove 'file.txt': Operation not permitted

Let us try to delete the folder:

rm -fr dir1/

Sample output:

rm: cannot remove 'dir1/file.txt': Operation not permitted

To remove the attributes, run the following commands:

For files:

sudo chattr -R -a file.txt

For directories:

sudo chattr -R -a dir1/

Now, you can delete or modify the files and folders as usual.

For more details, refer the man pages.

man chattr

That’s all for now. You know now how to apply file attributes to files and folders using chattr command, and how to prevent them from accidental deletion or modification. This can be useful to protect the important system files and data in your Linux system.

Cheers!