Home » Categories » Linux

How to manage Linux password expiry with the chage command

Article Number: 356 | Rating: Unrated | Last Updated: Tue, Sep 11, 2018 4:00 PM

As a Linux admin, you're probably accustomed to passwdchownchmod, and chgrp...all commands for managing various elements of user accounts, files, and folders. There is another command that all Linux administrators must know: chage (think of change age).

With the chage command you can change the number of days between password changes, set a manual expiration date, list account aging information, and more. It's a very handy tool for any admin wanting to ensure their users stay on top of changing their passwords regularly.

SEE: Want a good tech job? Report says open-source skills are hotter than ever (ZDNet)

Installing chage

 

 

More about cybersecurity

There is no installation needed for this tool, as it should be found on your distribution by default. As you probably expect, chage is a command line tool, so you'll be required to work within a terminal window.

Using chage

The basic structure for the chage command looks like:

chage [options] USERNAME

You can choose from plenty of options—the most immediately useful of those options are:

  • -E Set the expire date for a user password. The date is expressed in the format YYYY-MM-DD.
  • -I Set the number of inactive days allowed, after a password expires, before the account is locked.
  • -l List the account aging information.
  • -m Set the minimum number of days allowed between password changes. Setting this option to 0 allows the user to change their password at any time.
  • -M Set the maximum number of days in which a password is valid.
  • -W Set the number of days of warning before a user must change their password.

Examples of chage in action

 

We'll manage the password for user bethany. First, let's list the account aging information for bethany. To do this, we issue the command:

sudo chage -l bethany

This command should produce something similar to Figure A.

Figure A

 

Figure A
Account aging information for user bethany.
Image: Jack Wallen

 

Now let's set bethany's password to expire on July 10, 2016. The command would be:

sudo chage -E 2016-07-10 bethany

When we execute chage -l bethany, we see the expiration date listed (Figure B).

Figure B

 

Figure B
A new expiration date for bethany's password.
Image: Jack Wallen

 

A better way to set an expiration date is to set the number of days since the last password change; this will remain in effect until the administrator removes or changes that option. Say you want passwords to be changed every 30 days—you would issue the command:

sudo chage -E 30 bethany

The next time the user changes their password, the days between will reset, and they will have a fresh 30 days before their password expires.

If you've added an explicit expiration date, you can remove it with the command:

sudo chage -E -1 bethany

Our next move will be to give the user a warning that their password will expire. By default, the warning will be issued seven days in advance (this is only set once you create an expiration date for the password or the number of days between password changes). Let's change that warning to one day in advance (because who needs more than that?). To set this, issue the command:

sudo chage -W 1 bethany

You should see the change in warning days reflected in the new output (Figure C).

Figure C

 

Figure C
Bethany will now get a warning the day before her password expires.
Image: Jack Wallen

 

What happens when bethany attempts to log in to a machine once her password has expired? If she's ssh'ing from another machine, she'll get a clear warning (Figure D).

Figure D

 

Figure D
Uh oh, the password has expired for bethany.
Image: Jack Wallen

 

Bethany will get the same warning should she attempt to log on to her desktop as well. To rectify that, her password must be changed.

You can set the number of days after a password has expired before an account will be locked. Once an account is locked, it can only be unlocked by an administrator. To set this option, the command would look like:

sudo chage -I 10 bethany

Once that command has been issued, the account for bethany will lock 10 days after her password has expired. This particular option does not show in the chage -l command, so a user will not know how many days they have, after their password has expired, before the account is locked.

Make use of chage

I highly recommend every Linux admin take charge of user password expiration with the chage command. Security is a must, and if users aren't changing their passwords regularly, your data could be at risk. The chage command can certainly help you ensure those passwords are changed.
Posted - Tue, Sep 11, 2018 4:00 PM. This article has been viewed 10898 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
How To: Linux Hard Disk Encryption With LUKS [ cryptsetup Command ]
Viewed 7004 times since Fri, Jul 13, 2018
Open SSL HowTo: Decode SSL Certificate
Viewed 5817 times since Mon, Feb 18, 2019
Using Kerberos security with Server for NFS
Viewed 8854 times since Wed, Jun 27, 2018
red hat 7 tmpfiles service
Viewed 1514 times since Thu, Oct 11, 2018
A Simple Guide to Oracle Cluster File System (OCFS2) using iSCSI on Oracle Cloud Infrastructure
Viewed 7651 times since Sat, Jun 2, 2018
LVM basic
Viewed 1942 times since Sat, Jun 2, 2018
RHEL: Back-up/Replicate a partition table
Viewed 2992 times since Sun, May 27, 2018
Tips to Solve Linux & Unix Systems Hard Disk Problems
Viewed 3842 times since Fri, May 15, 2020
List DNS records, nameservers of a domain from command line
Viewed 1665 times since Sun, Sep 30, 2018
Linux - How to perform I/O performance test with dd command
Viewed 5655 times since Fri, Jun 8, 2018