Linux Chage Command to Set Password Aging for User

chage command - Reset password expire N days

The command name ‘chage’ is an acronym for ‘change age’. This command is used to change the user's password's aging/expiry information.

As a system administrator, it's your task to enforce password changing policies so that after a certain period of time, users will be compelled to reset their passwords.

No other unauthorized users can view the password's aging/expiry information. As the root user, you can execute this command to modify the aging information.

Syntax

chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user

Actually, you can also force user to change their password periodically via /etc/login.defs file below.

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

But /etc/login.defs will affect every user that registered in the system. If you want to setup different rule to a different user, then chage is the right tool for you.

If you type chage without any parameter, then will display quick guidance. We can go through some examples to get a better understanding of this command.

1) List the password aging information of a user

To view the password expiry details of a user, run the command below

chage –l testuser

Output:

Last password change : May 01, 2012
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

As you can see, password expiration is disabled for this user.

2) Disable password aging for a user

This will disable the password expiry of a user if it is already enabled.

chage -I -1 -m 0 -M 99999 -E -1 testuser

• -I -1 : This will set the “Password inactive” to never

• -m 0 : This will set the minimum number of days between password change to 0

• -M 99999 : This will set the maximum number of days between password change to 99999

• -E -1 : This will set “Account expires” to never.

3) Enable password expiry date of a user

In most cases, as an administrator, you need to set a password expiry date for all users for the purpose of better security. Once you enable password expiry date for a user, the user will be forced to change their password at the time of the next login after the expiry date.

Set the password to expire after 20 days. For this, we'll use the -m option as shown

chage -M 20 testuser
Output
Last password change : May 01, 2012
Password expires : May 21, 2012
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 20
Number of days of warning before password expires : 7

4) Set the Account expiry date in the format ‘YYYY-MM-DD’

The chage command can be used to set password expiry date of a user. This is achieved using the -E option as shown below. Note that the format of the date is YYYY-MM-DD. The command below shows us that password for user 'james' will expire on 28th May 2012.

chage –E “2012-05-28” james

Output
Last password change : May 01, 2012
Password expires : May 21, 2012
Password inactive : never
Account expires : May 28, 2012
Minimum number of days between password change : 0
Maximum number of days between password change : 20
Number of days of warning before password expires : 7

5) Set the password expiry warning message

By default, this value is set to 7. So, when a user logs in prior to 7 days of expiry, they will start getting a warning about the looming password expiry. If you want to change it to 10 days, you can do it as follows:

chage –W 10 testuser

6) Forcing the users to change the password on next logon

When you create a new user account, you can set it to force the user to change the password when they login for the first time as follows:

chage –d 0 testuser

This will reset “Last Password Change” to “Password must be changed”.

Conclusion

A few points to note as I wrap up

  1. A root user can change and view password information for any user but a non-root user can only view and change his password information.
  2. After the password expires, the user will not be able to login into the system until he/she sets up a new password. The system will prompt the user to enter the old password and later prompt him for a new password and later confirm it.

Feel free to try out the commands above and let us have your thoughts on this. Thank you.

Read Also:

Bobbin Zachariah 10:06 pm

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.