Security is playing important role in computer networks. Since you can’t trust anyone in the network, you have to protect your server. Sometime security hole comes not from outside, but from inside. One of the example is the validity of username and password.
As an System Administrator, you may understand that you have to manage every single user on your system. One of common way to increase the security of your password of your username is to change it periodically. But not many people are willing to do so voluntarily. So the best way to tell them is to force them by system.
What is chage
Linux has built-in command which named chage. Chage manual page says “The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password”
Actually, you can also force user to change their password periodically via /etc/login.defs file below.
# Password aging controls:
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
But /etc/login.defs will affect every user that registered in the system. If you want to setup different rule to different user, then chage is the right tool for you.
You can start using chage by typing chage in your console.
If you type chage without any parameter, then chage will display a quick guidance to use chage.
Show account aging information
The first thing you may want to do is to review the current setting of your user aging information. You can type this command to display it.
$ chage -l user_name
Here’s a sample screenshot.
The information from the screenshot can be read like this :
Please note that chage command need root level privileges to be run. The # sign is indicate that the chage command is run with root privileges.
Some scenarios on common usage
Set the password age
Since chage is a command to change password age, so this step may the first thing you want to do. Here’s the syntax :
# chage -M 40 pungki.arianto
This above command will put value 40 to Maximum number of days before password change.
You may see that the the value of Maximum number of days before password change is changed into 40. If we compare to the Figure 1 above, parameter Password expires is changed from Dec 7, 2013 to Dec 17, 2013. This is because chage count 40 days since the Last password change parameter.
If the current day already passed Password expires parameter, then when you re-login, you password is become expired ! Please be careful! Take a look the screenshot.
Set the Account expires value
Let say that you are giving your contractor access to your system from the current date until December 20, 2013. After that time period their account will be expires. So it will minimize the un-authorize access after that time period. This can be done using chage. Here’s the syntax :
# chage -E “2013-12-20” pungki.arianto
Lock account if idle for X days
If the account is expired, then owner of that account is forced to change their password. From the contractor scenario above, if you want to immediately lock the account, you must put the same value between Account expires parameter and Password inactive parameter. Use -I parameter to do it.
# chage -I 13 pungki.arianto
As you can see that now the value of Accout expires and Password inactive is the same.
Set the Minimum days user can change the password
If you don’t want the users to change their password anytime, you can create a rule that user can only do it after X days from the last time he / she changed their password. To fulfill this, you can use -m parameter.
# chage -m 3 pungki.arianto
From the above sample, it makes users can only change their password in 3 days after the last time they changed their password.
Give user a warning X days before their password expires
For security reason, users should change their password regularly. But most users are not remember on when they have to change it. To anticipate this, the system can give a warning to the users X days before their password expired.
# chage -W 5 pungki.arianto
The number 5 after -W parameter tell chage to give the users a warning since 5 days before their password is expired.
This warning will always appear every day and every user logs in since the value of parameter Number of days of warning before password expires is fulfilled until it reach the date in Password expires parameter.
Reset the value of chage parameter (disable password aging)
To reset the chage parameters, here are the value that can be use :
Securing your system is a thing that cannot be compromised today. Password is one of security components which need to be protected. In addition to the selection of strong passwords, change them regularly is also highly recommended. But not all users are aware about what the importance changing their password regularly. In this condition, chage can help you to remind your user to change their password regularly.