- How to Manage User Password Expiration and Aging in Linux
- How to set password non-expiry for user in linux
- passwd — update user’s authentication tokens
- Turning off password expiration on Linux
- 1 Answer 1
- Linux: Set Password to NEVER Expire
- Set Password to NEVER Expire in Linux
- Non-Expiring password on Linux server
- 7 Answers 7
- Solaris/SunOS:
How to Manage User Password Expiration and Aging in Linux
System administration involves numerous tasks including managing users/groups and under user management, some of the minor tasks involved are adding, modifying, suspending, or deactivating user accounts, and many more.
This article will explain one of the critical user account management functions, how to set or change user password expiration and aging in Linux using the chage command.
The chage command is used to modify user password expiry information. It enables you to view user account aging information, change the number of days between password changes and the date of the last password change.
Once you have set password expiry and aging information, this information is used by the system to determine when a user must change his/her password. Normally, companies or organizations have certain security polices that demand users to change passwords regularly: this can be a simple way to enforce such policies as we explained below.
To view a user account aging information, use the -l flag as shwon.
To set the date or number of days (since January 1, 1970) when the password was last changed, use the -d flag as follows.
Next, you can also set the date or number of days (since January 1, 1970) on which the user’s account will no longer be accessible by using the -E switch as shown in the following command.
In this case, once a user’s account is locked, he/she is required to contact the system administrator before being able to use the system again.
Then, the -W option allows you to set the number of days of warning before a password change is required. Considering the command below, the user ravi will be warned 10 days prior to his password expiring.
In addition, you can set the number of days of inactivity after a password has expired before the account is locked. This example means that after user ravi’s password expires, his account will be inactive for 2 days before it is locked.
When the account becomes inactive, he must contact the system administrator before being able to use the system again.
For more information, refer to the chage man page.
Note that you can also change a user’s password expiration and aging information using the usermod command, which is actually intended for modifying a user account.
That’s it for now. Hoping you find this article informative and useful, if you have any questions to ask, use the feedback form below.
How to set password non-expiry for user in linux
The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change their password.
Below command is used to set non-expiry for testuser
#chage -I -1 -m 0 -M 4294967295 -E -1 testuser
[root@nsk-linux home]# chage -I -1 -m 0 -M 4294967295 -E -1 testuser1
[root@nsk-linux home]#
[root@nsk-linux home]# chage -l testuser1
Last password change : Dec 10, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 4294967295
Number of days of warning before password expires : 7
Here
-I Set the number of days of inactivity after a password has expired before the account is locked
-m —mindays. Minimum number of days between password changes. A value of zero for this field indicates that the user may change their pssword at any time
-M —maxdays. Maximum number of days during which a password is valid
-E —expiredate. Set the date
NAME
passwd — update user’s authentication tokens
The passwd utility is used to update user’s authentication token.
Below command is used to set non-expiry for testuser
#passwd -x -1 testuser
[root@nsk-linux home]# passwd -x -1 testuser
Adjusting aging data for user testuser.
passwd: Success
[root@nsk-linux home]#
[root@nsk-linux home]# chage -l testuser
Last password change : Dec 10, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 4294967295
Number of days of warning before password expires : 7
Here
-x This will set the maximum password lifetime, in days, if the user’s account supports password lifetimes. Available to root only.
Turning off password expiration on Linux
I found that I need to edit /etc/shadow . How exactly do I need to edit the root line below, so that my Linux does not ask me to change the password on the each log in?
root@ubuntu:~# cat /etc/shadow root:$6$U.dnAQ2f$FV$/aF23Yn.sq1BYVjinlI9251nAarzqGKES18RxadV5bTakcfCNYAMljUwSaQZYV0r4MttHF0SFO7ebq3E1m/:0:0:99999:7.
root:$6$U.dnAQ2f$FV$/aF23Yn.sq1BYVjinlI9251nAarzqGKES18RxadV5bTakcfCNYAMljUwSaQZYV0r4MttHF0SFO7ebq3E1m/:0:0.
It stills asks for a password on log in. I also followed the instructions on http://www.lifelinux.com/setting-up-password-aging-in-linux/:
root@ubuntu:/home# chage -m 7 -M 60 -W 7 -I 7 root root@ubuntu:/home# chage -m 0 -M 99999 -I -1 root root@ubuntu:/home# change -l root -bash: change: command not found root@ubuntu:/home# chage -l root Last password change : password must be changed Password expires : password must be changed Password inactive : password must be changed Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
What do I need to edit to remove password must be changed ? I also did chage -I -1 -m 0 -M 99999 -E -1 root , but it did not help.
1 Answer 1
describes the format of that file. Quoting from there, the fifth field is the maximum password age.
maximum password age The maximum password age is the number of days after which the user will have to change her password.
After this number of days is elapsed, the password may still be valid. The user should be asked to change her password the next time she will log in.
An empty field means that there are no maximum password age, no password warning period, and no password inactivity period (see below).
If the maximum password age is lower than the minimum password age, the user cannot change her password.
In your case, you’ve already hit the trigger, so you also need to get rid of the prompt to immediately change the password on the next login. Again consulting the man page.
date of last password change The date of the last password change, expressed as the number of days since Jan 1, 1970.
The value 0 has a special meaning, which is that the user should change her password the next time she will log in the system.
An empty field means that password aging features are disabled.
So you should also delete the zero from the third field. And once you’ve disabled that, there’s no need for the fourth one either.
So you should be able to delete the fifth field entirely to achieve what you want. As in
root:$6$U.dnAQ2f$FV$/aF23Yn.sq1BYVjinlI9251nAarzqGKES18RxadV5bTakcfCNYAMljUwSaQZYV0r4MttHF0SFO7ebq3E1m/.
That said, I would generally advise against directly editing files like this unless you’re 100% sure you know what you’re doing.
Edit: Also, it appears that chage is part of the passwd package on Ubuntu, which I would have assumed you already had installed.
Linux: Set Password to NEVER Expire
If your Linux user’s password is about to expire, you may see a message as follows on your login screen:
Warning: Your password will expire in X days
In this note i will show how to disable the Linux user’s password expiration from the command line using the chage command.
Cool Tip: How to generate a password hash for /ect/shadow in Linux! Read more →
Set Password to NEVER Expire in Linux
To check a user’s password expiration settings in Linux, use the chage command:
$ chage -l - sample output - Last password change : Sep 30, 2021 Password expires : Dec 29, 2021 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
To set the Linux user’s password to never expire in an interactive mode:
$ sudo chage - sample output - Changing the aging information for Enter the new value, or press ENTER for the default Minimum Password Age [0]: Enter Maximum Password Age [90]: 99999 Last Password Change (YYYY-MM-DD) [2021-09-30]: Enter Password Expiration Warning [7]: Enter Password Inactive [-1]: Enter Account Expiration Date (YYYY-MM-DD) [-1]: Enter
To turn off the Linux user’s password expiration non-interactively:
$ sudo chage -I -1 -m 0 -M 99999 -E -1
Ensure that the user’s password expiration settings have changed:
$ chage -l - sample output - Last password change : Sep 30, 2021 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Cool Tip: Generate a random password from the Linux command line! Read more →
Non-Expiring password on Linux server
I’d like to set up an account on a linux server and make the account’s password never expire. I’m having difficulties figuring it out with the passwd man page. Could someone please help me out?
7 Answers 7
To maximize password expiration:
To disable account expiration:
To set the system defaults, look at /etc/default/useradd
Solaris/SunOS:
Turn off aging while allowing user to retain current password
Force user to change password at next login, and then turn off aging
(Hopefully this helps someone out)
You want the chage command you just set the account minimum password to a rediculously long time like 9999999999 days.
The complete command to mitigate any other previous configurations is the following:
chage -E -1 -M -1 -I -1 username
AIX: Non expiring password
Changing user history size
change the users password
Clear flags that tells the OS to reset password on login (after password reset)
If you do not want to cause any commotion by editing your user history size you can use the following command to change the security file to say that the last time you reset your password is always today’s date. You can export this in your .profile file so it runs every time you log in as well.
chsec -f /etc/security/passwd -s -a lastupdate=`date +%s`
Here is a full example of chage command (Change age) about Linux expiration password: Completely disable password expiration and account:
-m 0 : Minimum number of days for the password change. -M 99999 : Maximum number of days a password change. -I -1 : We set: "Password inactive" never. -E -1 : We set: "Expires Account" never.
The example username is: sysadmit
[root@linux1~] # chage -m 0 -M 99999 -I -1 -1 -E sysadmit [root@linux1~] # chage --list sysadmit Last password change: July 15, 2017 Password expires: never Password inactive: never Account expires: never Minimum number of days Between password change: 0 Maximum number of days Between password change: 99999 Number of days of warning before Expires password 7