- How to Manage User Password Expiration and Aging in Linux
- BEST LINUX CHAGE COMMAND WITH EXAMPLES – A LINUX PASSWORD EXPIRATION MANAGEMENT TOOL
- Linux chage command (A tool for linux password expiration Management) with Examples :
- List the Current Aging Information of User
- Set/Change Expiry Date of a User Account using Linux chage Command
- Set Password Expiry Warning Alert
- Set Password Inactive after Password Expiration
- Set Maximum Number of Days between Password Change
- Set Minimum Number of Days between Password Change
- Set Last Change Password using Linux chage Command
- Force User to Change Password at Next Login
- More Linux chage Command Help
- Linux chage Command Manual Page
How to Manage User Password Expiration and Aging in Linux
System administration involves numerous tasks including managing users/groups and under user management, some of the minor tasks involved are adding, modifying, suspending, or deactivating user accounts, and many more.
This article will explain one of the critical user account management functions, how to set or change user password expiration and aging in Linux using the chage command.
The chage command is used to modify user password expiry information. It enables you to view user account aging information, change the number of days between password changes and the date of the last password change.
Once you have set password expiry and aging information, this information is used by the system to determine when a user must change his/her password. Normally, companies or organizations have certain security polices that demand users to change passwords regularly: this can be a simple way to enforce such policies as we explained below.
To view a user account aging information, use the -l flag as shwon.
To set the date or number of days (since January 1, 1970) when the password was last changed, use the -d flag as follows.
Next, you can also set the date or number of days (since January 1, 1970) on which the user’s account will no longer be accessible by using the -E switch as shown in the following command.
In this case, once a user’s account is locked, he/she is required to contact the system administrator before being able to use the system again.
Then, the -W option allows you to set the number of days of warning before a password change is required. Considering the command below, the user ravi will be warned 10 days prior to his password expiring.
In addition, you can set the number of days of inactivity after a password has expired before the account is locked. This example means that after user ravi’s password expires, his account will be inactive for 2 days before it is locked.
When the account becomes inactive, he must contact the system administrator before being able to use the system again.
For more information, refer to the chage man page.
Note that you can also change a user’s password expiration and aging information using the usermod command, which is actually intended for modifying a user account.
That’s it for now. Hoping you find this article informative and useful, if you have any questions to ask, use the feedback form below.
BEST LINUX CHAGE COMMAND WITH EXAMPLES – A LINUX PASSWORD EXPIRATION MANAGEMENT TOOL
In this article we are going to learn about Linux chage command. chage command can be pronounce as Change Age. Linux chage command is used manage the Linux Password Expiration and Aging of User Accounts and Passwords.
We will able to manage below listed settings using chage command :
- Set Expiry Date for a User Account.
- Set Warning alert before Password Expires.
- Set Password Inactive after Password Expiration.
- Set Maxinum Number of days before Password Change.
- Set Minimum Number of days before Password Change.
- Force User to change Password at their first login.
- Set Last Password Change.
Linux chage command (A tool for linux password expiration Management) with Examples :
List the Current Aging Information of User
To list the current aging information of a user we can use chage command with argument -l . Here I am checking aging information of user elinuxbook.
[root@localhost ~]# chage -l elinuxbook # Listing Aging Information of a User Last password change : May 24, 2017 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Set/Change Expiry Date of a User Account using Linux chage Command
To set/change Expiry date of a User you can use chage command with argument -E . Syntax to set/change expiry date of a User Account :
Syntax : chage -E [DATE] [Username]
Date Format should be like this : YYYY-MM-DD. Refer the command below.
[root@localhost ~]# chage -E 2018-03-15 elinuxbook # Set/Change Expiry Date of a User Account # Confirm the Setting [root@localhost ~]# chage -l elinuxbook Last password change : May 19, 2017 Password expires : never Password inactive : never Account expires : Mar 15, 2018 Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Set Password Expiry Warning Alert
You can use chage command to set Warning Alert before Password expiry. To do so you can use chage command with argument -W . Here I am going to set 5 days as Password Alert for user elinuxbook that means user elinuxbook will get alert message to change the password 5 days before password expiration.
[root@localhost ~]# chage -W 5 elinuxbook # Set Password Change Alert for User # Confirm the Setting [root@localhost ~]# chage -l elinuxbook Last password change : May 21, 2017 Password expires : Jun 20, 2017 Password inactive : Jun 27, 2017 Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 5
Set Password Inactive after Password Expiration
chage command with argument -I will set Password Inactive. That means user can able to login the system with same username and and password for next allowed days (eg : 10 Days) even after Pasword Expiry. Here I am allowing 10 days as a Password Inactive for User elinuxbook. That means user eliuxbook can use the same password for next 10 days. After that the User will get Locked. Refer the command below.
[root@localhost ~]# chage -I 10 elinuxbook # Set Password Inactivity # Confirm the Setting [root@localhost ~]# cat /etc/shadow | grep elinuxbook elinuxbook:$1$/Qiw/iiX$zufQoDJV.LwZ.ggvRkABz.:17310:0:99999:7:10::
Set Maximum Number of Days between Password Change
You can set Maximum Number of days between password change means Here you can allow the users that How many maximum days the user can use the current password. Within the maximum allowed days user must change the password otherwise the account will lock. To Set maximum allowed days you can use chage command with argument -M .
Note : When you set the Maximum Number of days for Password for any user the Password Expires date will also get updates. It’s totally depend on your value of maximum allowed days.
For Example : Here I am allowing 10 days as a Maximum password age for the user elinuxbook. That means user elinuxbook able to use the current password for next 10 days only and before 10 days the password should change otherwise on 11th day the user account elinuxbook will get lock.
[root@localhost ~]# chage -M 10 john # Allow Maximum days between Password Change # Confirm the Setting [root@localhost ~]# chage -l john Last password change : May 24, 2017 Password expires : Jun 03, 2017 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 10 Number of days of warning before password expires : 7
Set Minimum Number of Days between Password Change
You can also set Minimum Number of days between password change. That means user cannot change the password till the minimum allowed days completed. For Example : Here I set 5 days as a minimum password age for the user elinuxbook That means user elinuxbook have to use the current password for atleast 5 days and cannot change the password withing these 5 days. To set minimum days you can use chage command with argument -m . Refer the command below.
Note : If you set 0 as a Minimum Password days then user can change his password any time.
[root@localhost ~]# chage -m 5 john # Allow Minimum days between Password Change # Confirm the Setting [root@localhost ~]# chage -l john Last password change : May 24, 2017 Password expires : Jun 03, 2017 Password inactive : never Account expires : never Minimum number of days between password change : 5 Maximum number of days between password change : 10 Number of days of warning before password expires : 7
Set Last Change Password using Linux chage Command
Now we are going to discuss on Last Password Change. We can set Last Password Change by using chage command with argument -d .
Syntax : chage -d [DATE] [USERNAME]
Note : Date should be in YYYY-MM-DD format.
Here I am going to set Last change Password for user ricky.
[root@localhost ~]# chage -d 2017-05-20 ricky # Set Last Change Password # Confirm the Setting [root@localhost ~]# chage -l ricky Last password change : May 20, 2017 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Note : One more thing we have to notice is When we set the Last Change Password date as shown above, at that time one more setting get updated i.e. Password Expires. and it’s totally depend on the Maximum Number days between Password Change Value.
When we set/reset password of any user at that time also the Last Password Change setting get Update. For Example I reset the Password of user elinuxbook on 25 May 2017 then the Last Password Change Setting will get update to Date 2017-05-25. Refer the Sample output below.
[root@localhost ~]# passwd elinuxbook Changing password for user elinuxbook. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@localhost ~]# chage -l elinuxbook Last password change : May 25, 2017 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Force User to Change Password at Next Login
You can also use chage command with argument -d to force the user to change the Password on next login. for that you have to set the Number of days as 0. Refer the command below.
[root@localhost ~]# chage -d 0 ricky # Force User to Change Password # Confirm the Setting [root@localhost ~]# chage -l ricky Last password change : password must be changed Password expires : password must be changed Password inactive : password must be changed Account expires : May 27, 2017 Minimum number of days between password change : 0 Maximum number of days between password change : 10 Number of days of warning before password expires : 7
As you can see above all three options i.e. Last Password Change, Password Expires and Password Inactive showing Password must be changed. That means when user will login for first time system will force to set his own password and at that time all above settings will get update as per that date.
Now when you login the system by ricky user you will get below message.
As you can see on snapshot above system enforces the user ricky to change the Password.
More Linux chage Command Help
For more Linux chage command options you can refer below command.
[root@localhost ~]# chage --help # Help Page of Linux chage command Usage: chage [options] [LOGIN] Options: -d, --lastday LAST_DAY set date of last password change to LAST_DAY -E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE -h, --help display this help message and exit -I, --inactive INACTIVE set password inactive after expiration to INACTIVE -l, --list show account aging information -m, --mindays MIN_DAYS set minimum number of days before password change to MIN_DAYS -M, --maxdays MAX_DAYS set maximim number of days before password change to MAX_DAYS -W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
Linux chage Command Manual Page
OR Refer the Manual Page of chage using below command.
[root@localhost ~]# man chage # Manual Page of Linux chage Command
If you found this article useful then Like Us, Share Us, Subscribe our Newsletter OR if you have something to say then feel free to comment on the comment box below.