Using Password Aging to Secure your Linux Access

Security is playing important role in computer networks. Since you can’t trust anyone in the network, you have to protect your server. Sometime security hole comes not from outside, but from inside. One of the example is the validity of username and password.

As an System Administrator, you may understand that you have to manage every single user on your system. One of common way to increase the security of your password of your username is to change it periodically. But not many people are willing to do so voluntarily. So the best way to tell them is to force them by system.

What is chage

Linux has built-in command which named chage. Chage manual page says “The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password”

Actually, you can also force user to change their password periodically via /etc/login.defs file below.

# Password aging controls:
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.

But /etc/login.defs will affect every user that registered in the system. If you want to setup different rule to different user, then chage is the right tool for you.

Starting chage

You can start using chage by typing chage in your console.

Start chage command

If you type chage without any parameter, then chage will display a quick guidance to use chage.

Show account aging information

The first thing you may want to do is to review the current setting of your user aging information. You can type this command to display it.

$ chage -l user_name

Here’s a sample screenshot.

Review chage setting

Figure 1

The information from the screenshot can be read like this :

  • Last password change ; the last time user pungki.arianto changed his password is on November 7, 2013.
  • Password expires ; password will be expires in December 7, 2013.
  • Password inactive ; when the value is never, it means that if until December 8, 2013 user pungki.arianto still not change his password, system will force the user to change his password when trying to log in. But system will not lock the account.
  • Account expires ; this account always active. If the value of parameter is a date, then this account only active between current time until the date on Account expires parameter.
  • Minimum number of days between password change ; if the value is 0 (zero), it means that the user can change password at anytime. If the value is - let say - 2 (two) then the user only can change his password after 2 days from the last time he / she changed his / her password.
  • Maximum number of days between password change ; this means the maximum days which a password is valid. If the value is 30, then it means that user must be change his / her password on 30 days after the last time he / she changed his / her password.
  • Number of days of warning before password expires ; it means that system will warn you about your password will become expires in X days. The X is the value of this parameter.

    Please note that chage command need root level privileges to be run. The # sign is indicate that the chage command is run with root privileges.

    Some scenarios on common usage

    Set the password age

    Since chage is a command to change password age, so this step may the first thing you want to do. Here’s the syntax :

    # chage -M 40 pungki.arianto

    This above command will put value 40 to Maximum number of days before password change.

    Set maxdays parameter

    You may see that the the value of Maximum number of days before password change is changed into 40. If we compare to the Figure 1 above, parameter Password expires is changed from Dec 7, 2013 to Dec 17, 2013. This is because chage count 40 days since the Last password change parameter.

    If the current day already passed Password expires parameter, then when you re-login, you password is become expired ! Please be careful! Take a look the screenshot.

    Backward chage maxdays

    Force password change

    Set the Account expires value

    Let say that you are giving your contractor access to your system from the current date until December 20, 2013. After that time period their account will be expires. So it will minimize the un-authorize access after that time period. This can be done using chage. Here’s the syntax :

    # chage -E “2013-12-20” pungki.arianto

    Account expires

    Lock account if idle for X days

    If the account is expired, then owner of that account is forced to change their password. From the contractor scenario above, if you want to immediately lock the account, you must put the same value between Account expires parameter and Password inactive parameter. Use -I parameter to do it.

    # chage -I 13 pungki.arianto

    Set password inactive value

    As you can see that now the value of Accout expires and Password inactive is the same.

    Set the Minimum days user can change the password

    If you don’t want the users to change their password anytime, you can create a rule that user can only do it after X days from the last time he / she changed their password. To fulfill this, you can use -m parameter.

    # chage -m 3 pungki.arianto

    Set mindays parameter

    From the above sample, it makes users can only change their password in 3 days after the last time they changed their password.

    Give user a warning X days before their password expires

    For security reason, users should change their password regularly. But most users are not remember on when they have to change it. To anticipate this, the system can give a warning to the users X days before their password expired.

    # chage -W 5 pungki.arianto

    Warn user to change their password

    The number 5 after -W parameter tell chage to give the users a warning since 5 days before their password is expired.

    Login warning

    This warning will always appear every day and every user logs in since the value of parameter Number of days of warning before password expires is fulfilled until it reach the date in Password expires parameter.

    Reset the value of chage parameter (disable password aging)

    To reset the chage parameters, here are the value that can be use :

  • -m 0 ; will reset the parameter Minimum number of days between password change to 0 (zero)
  • -M -99999 ; will reset parameter Maximum number of days between password change to 99999 and Password expires to Never
  • -I -1 (capital I and minus one) ; will reset parameter Password inactive to Never
  • -E -1 (capital E and minus one) ; will reset parameter Account expires to Never
  • -W 0 (capital W and minus one) ; will reset parameter Numbers days of warning before password expires to 0 (zero)
  • Password aging disable

    Securing your system is a thing that cannot be compromised today. Password is one of security components which need to be protected. In addition to the selection of strong passwords, change them regularly is also highly recommended. But not all users are aware about what the importance changing their password regularly. In this condition, chage can help you to remind your user to change their password regularly.

    Pungki Arianto 3:00 am


    Your email address will not be published. Required fields are marked *

    All comments are subject to moderation.