User password expire in linux

3 ways to change user account expiration date in Linux

In this blog post, we will discuss three different ways to set the user account expiration date in Linux. The first way is to use the chage command, the second way is to use the usermod command and the third way is to use useradd command.

We will also discuss some of the benefits of using each method. Let’s get started!

Difference between password expiration and account expiration

In Linux, password expiration and account expiration are two separate concepts.

Password expiration means that user needs to change the password on next login. The user still be able to login after resetting the password. This is a security measure to ensure that passwords are regularly updated and not compromised.

Here is the error message when your password is expired.

(test@howtouselinux) You are required to change your password immediately (password expired)
Current password:
(test@howtouselinux) New password:

In the case of account expiration, the user account will be locked. Hence it is not able to log in at all. This can be useful for temporary accounts that are only needed for a certain period of time.

Here is the error message when your account is expired.

Your account has expired; please contact your system administrator

change user password expiration date with chage command in Linux

To change the password expiration date for a user in Linux, you can use the chage command. Here are the steps:

1. Open the terminal and log in as root or a user with sudo privileges.

2. Run the following command to change the password expiration date for a user (replace username with the name of the user):

The -M option specifies the maximum number of days between password changes.

That means that new password expiration date is = last password change date + max days.

For example, to set the maximum password age to 90 days for the user john, you can run the command:

To view the current password aging settings for a user, you can run:

This will show you the current values for password aging options like maximum age, minimum age, warning period, and inactive period.

You can also set other password aging options with the chage command. For example, to set the minimum number of days required between password changes to 10, you can run:

This will prevent the user from changing the password too frequently.

That’s it! You have successfully changed the password expiration date for a user in Linux using the chage command.

[root@howtouselinux ~]# chage -l test1
Last password change : Mar 26, 2023
Password expires : May 25, 2023
Password inactive : Jun 24, 2023
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 60
Number of days of warning before password expires : 7

[root@howtouselinux ~]# chage -M 90 test1

[root@howtouselinux ~]# chage -l test1
Last password change : Mar 26, 2023
Password expires : Jun 24, 2023
Password inactive : Jul 24, 2023
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 90
Number of days of warning before password expires : 7

Here, we can see that the new password expiration date Jun 24, 2023 = Last password change date Mar 26, 2023 + Max days 90

You can use this command to remove a password expiration date. This can be useful if you want to set a user’s password to never expire.

To do this, you would run the following command:

This will set the password expiration date to -1, which means that the password will never expire.

change user account expiration date with chage command in Linux

The easiest way to change the user account expiration date in Linux is using chage command. You need to be logged in as the root user and run the following command to change the account expiration date for a user:

chage -E YYYY-MM-DD USERNAME

Replace “YYYY-MM-DD” with the actual date you want the user’s account to expire on. Replace “USERNAME” with the actual username of the user you want to set the expiration date for.

Once you have run this command, the user’s account will expire on the date you specified.

sudo chage -E 2021-02-28 charlie
donnie@ubuntu-steemnode:~$ sudo chage -l charlie
Last password change : Oct 06, 2019
Password expires : Never
Password inactive : Jan 08, 2020
Account expires : Feb 28, 2021
Minimum number of days between password change : 3
Maximum number of days between password change : 90
Number of days of warning before password expires : 4

1. The first row of the output reports the last date in which the password for the account was changed (Last_password_change).
2. The second line reports the date in which the current password will expire (Password_expires). In this case the reported value is “never”, so the password expiration feature is disabled (the password will never expire).
3. The third line show us the Password inactive date.
4. On the fourth row we can check the account expiration date (Account expiration). As a value for this option we can provide a specific date or alternatively a number of days since “January 1, 1970”, after which the user account will be locked.
5. On the next two lines we can see the minimum number of days which should pass between two password changes (Minimum number of days between password change), and the maximum number of days a password should be valid (Maximum number of days between password change).
6. Finally, in the last row of the program output we can see how many days before the password expiration event a warning should be sent to the user. The current value is 4; it is irrelevant, however, since password expiration is disabled.

we can set a password expiration date using the -M option, in order to set the maximum number of days in which a password should be considered valid. For example to set the password validity to 30,

we would run:$ sudo chage -M 30 egdoc
The above command will set the password to expire 30 days from the last change.

change user account expiration date with usermod command in Linux

The usermod command is another way to set the account expiration date in Linux. To use the usermod command, you need to be logged in as the root user. usermod -e YYYY-MM-DD USERNAME

sudo usermod -e 2023-07-31 samson
sudo chage -l samson

change user account expiration date with useradd command in Linux

The third way to set the user account expiration date in Linux is to use the useradd command. To use the useradd command, you need to be logged in as the root user.

sudo useradd -e 2023-06-30 samson
sudo chage -l samson

To change the defaults in the useradd file, you can either hand-edit the file or use useradd -D with the appropriate option switch for the item that you want to change. For example, to set a default expiration date of December 31, 2023, the command would be as follows: sudo useradd -D -e 2023-12-31

To see the new configuration, you can either open the useradd file or just do sudo useradd -D:
[donnie@localhost ~]$ sudo useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=2023-12-31
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

You’ve now set it so that any new user accounts that get created will have the same expiration date.

Each of these methods has its own benefits. The chage command is the most common way to set the user password expiration date in Linux because it is easy to use and it doesn’t require any additional packages to be installed.

The usermod command is a good choice if you are already using the usermod command for other tasks such as modifying the user’s home directory or shell. The useradd command is a good choice if you are already using the useradd command to create new users.

Which method do you prefer to use? Let us know in the comments below!

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

howtouselinux.com is dedicated to providing comprehensive information on using Linux.

We hope you find our site helpful and informative.

Источник

How to Manage User Password Expiration and Aging in Linux

System administration involves numerous tasks including managing users/groups and under user management, some of the minor tasks involved are adding, modifying, suspending, or deactivating user accounts, and many more.

This article will explain one of the critical user account management functions, how to set or change user password expiration and aging in Linux using the chage command.

The chage command is used to modify user password expiry information. It enables you to view user account aging information, change the number of days between password changes and the date of the last password change.

Once you have set password expiry and aging information, this information is used by the system to determine when a user must change his/her password. Normally, companies or organizations have certain security polices that demand users to change passwords regularly: this can be a simple way to enforce such policies as we explained below.

To view a user account aging information, use the -l flag as shwon.

To set the date or number of days (since January 1, 1970) when the password was last changed, use the -d flag as follows.

Next, you can also set the date or number of days (since January 1, 1970) on which the user’s account will no longer be accessible by using the -E switch as shown in the following command.

In this case, once a user’s account is locked, he/she is required to contact the system administrator before being able to use the system again.

Then, the -W option allows you to set the number of days of warning before a password change is required. Considering the command below, the user ravi will be warned 10 days prior to his password expiring.

In addition, you can set the number of days of inactivity after a password has expired before the account is locked. This example means that after user ravi’s password expires, his account will be inactive for 2 days before it is locked.

When the account becomes inactive, he must contact the system administrator before being able to use the system again.

For more information, refer to the chage man page.

Note that you can also change a user’s password expiration and aging information using the usermod command, which is actually intended for modifying a user account.

That’s it for now. Hoping you find this article informative and useful, if you have any questions to ask, use the feedback form below.

Источник

How to set user password expirations on Linux

Use the chage command to force users to change their passwords to comply with your password-aging policies.

User accounts created on Red Hat Enterprise Linux (RHEL) servers are by default assigned 99,999 days until their password expires. The Center for Internet Security (CIS) provides some advice on controls for hardening systems, and one of these is setting password expirations to 365 days or less. The security team usually enforces this setting, but system administrators must ensure this is done.

Training & certification

Use the /etc/login.defs file to set password aging policies. All new users inherit the definitions set in login.defs . You’ll use the chage command to manage password-aging polices.

In /etc/login.defs , you can adjust the following parameters to reflect your security policy or control:

• PASS_MAX_DAYS: How many days the password is active before it expires.
• PASS_MIN_DAYS: How many days a password must be active before it can be changed by a user.
• PASS_WARN_AGE: The number of days a warning is issued to the user before an impending password expiry.

The following example modifies your policy such that a password expires after 90 days and cannot be changed until it’s been active for seven days, and users are notified five days prior to password expiry:

PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_WARN_AGE 5

Changes made to /etc/login.defs affect only new users created on the system. For existing users, you must use the chage command.

You can set the same configuration for existing users with:

$ sudo chage --mindays 7 \ --maxdays 90 --warndays 5 user1

View password age

To view the password age for a user, use the —list option ( -l for short) with the chage command. For example, to view password information for user1:

$ sudo chage --list user1 Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires: 5 

Источник