Linux-password-aging
Linux

How to use linux password expiry command chage

0 2037

User Password Aging Information

Welcome guys with our new and exciting article. In this tutorial we will learn how to manage linux password expiry settings.  We are going to use commands  “chage” to manage settings. To change password at regular interval is one of good  security practices.But normal users/developers will not change password regularly or sometimes not at all unless you as system administrator come up with policy( I would say technique) which will force users to change their passwords  regularly . It depends on your company security policy after how long users must change password.

Command we will learn

Chage –l, chage –M, chage –m, chage –I, chage –E, chage –W, chage –d 0, chfn, chfn –f.

Introduction

Chage command is used for showing the password aging information of user. It shows user password expiry information regarding when he/she changed last password, minimum and maximum number of days password. The normal user cannot change/set password aging information only root has the rights to do that.

Configuring variables in /etc/login.defs change the behavior of these files

  • /etc/passwd user account information
  • /etc/shadow secure user account information

You can see  user password aging information by using command chage.

Syntax chage –l username. (Small L)

[fahmed@faraz ~]$ chage -l fahmed
Last password change                                  : never
Password expires                                      : never
Password inactive                                     : never
Account expires                                       : never
Minimum number of days between password change        : 0
Maximum number of days between password change        : 99999
Number of days of warning before password expires     : 7
[fahmed@faraz ~]$

As you see in above example  last password change, password expires, password inactive and account expires is set to never by default and also rest of values are default.

Now I want to change my password to see that the last password change  value

[root@faraz fahmed]# date
Sun Feb 28 23:27:22 PKT 2016

[root@faraz fahmed]# passwd fahmed
Changing password for user fahmed.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

[root@faraz fahmed]# chage -l fahmed
Last password change                                   : Feb 28, 2016
Password expires                                       : never
Password inactive                                      : never
Account expires                                        : never
Minimum number of days between password change         : 0
Maximum number of days between password change         : 99999
Number of days of warning before password expires      : 7
[root@faraz fahmed]#

Yes password has been changed successfully and when I am going to check the information of password aging it shows  the password change date as shown in above example

To  set the expiry date of password this will done by maximum number of days by using option –M.

Syntax chage –M no:_of_days username.

[root@faraz fahmed]# chage -M 15 fahmed

[root@faraz fahmed]# chage -l fahmed
Last password change                                    : Feb 28, 2016
Password expires                                        : Mar 14, 2016
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 15
Number of days of warning before password expires       : 7
[root@faraz fahmed]#

Please  notice in above example after setting expiry date maximum number of days value has been updated from 99999 to 15 and password expires

After that I want to set password inactive date by using option –I (caps i).

Syntax chage –I no:_of_days username.

[root@faraz fahmed]# chage -I 16 fahmed

[root@faraz fahmed]# chage -l fahmed
Last password change                                    : Feb 28, 2016
Password expires                                        : Mar 14, 2016
Password inactive                                       : Mar 30, 2016
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 15
Number of days of warning before password expires       : 7

As you can see in above image 15 days (Mar 14, 2016) of password expiry date. Now if password has expired and user will login it will prompt to change password. But if user never logins  date passes 16 days (Mar 30, 2016) user account will be locked (inactive)

Set password between minimum number of days by using option –m.

Syntax chage –m no:_of_days username.

[root@faraz fahmed]# chage -m 10 fahmed

[root@faraz fahmed]# chage -l fahmed
Last password change                                    : Feb 28, 2016
Password expires                                        : Mar 14, 2016
Password inactive                                       : Mar 30, 2016
Account expires                                         : never
Minimum number of days between password change          : 10
Maximum number of days between password change          : 15
Number of days of warning before password expires       : 7
[root@faraz fahmed]#

For account expiry date use option –E must have to define the date format like “YYYY-MM-DD”. Syntax chage –E “YYYY-MM-DD” username.

[root@faraz fahmed]# chage -E "2016-04-02" fahmed

[root@faraz fahmed]# chage -l fahmed
Last password change                                       : Feb 28, 2016
Password expires                                           : Mar 14, 2016
Password inactive                                          : Mar 30, 2016
Account expires                                            : Apr 02, 2016
Minimum number of days between password change             : 10
Maximum number of days between password change             : 15
Number of days of warning before password expires          : 7
[root@faraz fahmed]#

Change/set the password expiry warning message by using option –W.

By default its value is 7. When a user login in to 7 days of expiry, it will start to get warning message about password expiry.

Syntax chage –W no:_of _days username.

[root@faraz fahmed]# chage -W 11 fahmed

[root@faraz fahmed]# chage -l fahmed
Last password change                                   : Feb 28, 2016
Password expires                                       : Mar 14, 2016
Password inactive                                      : Mar 30, 2016
Account expires                                        : Apr 02, 2016
Minimum number of days between password change         : 10
Maximum number of days between password change         : 15
Number of days of warning before password expires      : 11
[root@faraz fahmed]#

To set the password on next logon forcing the user to change the password by using option –d 0.

Syntax chage –d 0 username.

[root@faraz fahmed]# chage -d 0 fahmed

[root@faraz fahmed]# chage -l fahmed
Last password change                               : password must be changed
Password expires                                   : password must be changed
Password inactive                                  : password must be changed
Account expires                                    : Apr 02, 2016
Minimum number of days between password change     : 10
Maximum number of days between password change     : 15
Number of days of warning before password expires  : 11
[root@faraz fahmed]#

As you can see in above example it shows password must be changed in first three entries.

To  disable the password aging for a user or you can say set the default/reset setting  by using command chage –I -1 –m 0 –M  99999 –E -1 username.
-I -1 is used for set the password inactive never.
-m 0 is used for set password minimum number of days to 0.
-M 99999 is used for password maximum number of days to 99999.
-E -1 is used to set the account expiry never.

(Note: warning number of days remains same as you define in last run command)

[root@faraz fahmed]# chage -I -1 -m 0 -M 99999 -E -1 fahmed

[root@faraz fahmed]# chage -l fahmed
Last password change                                   : Feb 28, 2016
Password expires                                       : never
Password inactive                                      : never
Account expires                                        : never
Minimum number of days between password change         : 0
Maximum number of days between password change         : 99999
Number of days of warning before password expires      : 11
[root@faraz fahmed]#

Bonus commands

In the last I want to change my personal information in command line by using command chfn.

Syntax chfn username.

[root@faraz fahmed]# chfn fahmed
Changing finger information for fahmed.
Name [Faraz Ahmed]: Faraz.Ahmed
Office []: abc 123
Office Phone []: 123
Home Phone []: 123
Finger information changed.
[root@faraz fahmed]#

To set full name of user by using –f option. Syntax chfn –f “Full Name” username.

[root@faraz fahmed]# chfn -f "Faraz Ahmed" fahmed
Changing finger information for fahmed.

Finger information changed.
[root@faraz fahmed]#

In this article we have learnt how to manage linux account expiry settings using command chage. I hope you have enjoyed this tutorial Please subscribe to our free newsletter. See you again in our next new tutorial and thanks for visiting.

Thanks

SUBSCRIBE OUR NEWSLETTER
Join us by subscribing to our newsletter and learn IT subjects for free
We hate spam. Your email address will not be sold or shared with anyone else.

Leave a reply

You must be logged in to post a comment.