User Password Aging Information
Welcome guys with our new and exciting article. In this tutorial we will learn how to manage linux password expiry settings. We are going to use commands “chage” to manage settings. To change password at regular interval is one of good security practices.But normal users/developers will not change password regularly or sometimes not at all unless you as system administrator come up with policy( I would say technique) which will force users to change their passwords regularly . It depends on your company security policy after how long users must change password.
Command we will learn
Chage –l, chage –M, chage –m, chage –I, chage –E, chage –W, chage –d 0, chfn, chfn –f.
Introduction
Chage command is used for showing the password aging information of user. It shows user password expiry information regarding when he/she changed last password, minimum and maximum number of days password. The normal user cannot change/set password aging information only root has the rights to do that.
Configuring variables in /etc/login.defs change the behavior of these files
- /etc/passwd user account information
- /etc/shadow secure user account information
You can see user password aging information by using command chage.
Syntax chage –l username. (Small L)
[fahmed@faraz ~]$ chage -l fahmed Last password change : never Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7 [fahmed@faraz ~]$
As you see in above example last password change, password expires, password inactive and account expires is set to never by default and also rest of values are default.
Now I want to change my password to see that the last password change value
[root@faraz fahmed]# date Sun Feb 28 23:27:22 PKT 2016 [root@faraz fahmed]# passwd fahmed Changing password for user fahmed. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@faraz fahmed]# chage -l fahmed Last password change : Feb 28, 2016 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7 [root@faraz fahmed]#
Yes password has been changed successfully and when I am going to check the information of password aging it shows the password change date as shown in above example
To set the expiry date of password this will done by maximum number of days by using option –M.
Syntax chage –M no:_of_days username.
[root@faraz fahmed]# chage -M 15 fahmed [root@faraz fahmed]# chage -l fahmed Last password change : Feb 28, 2016 Password expires : Mar 14, 2016 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 15 Number of days of warning before password expires : 7 [root@faraz fahmed]#
Please notice in above example after setting expiry date maximum number of days value has been updated from 99999 to 15 and password expires
After that I want to set password inactive date by using option –I (caps i).
Syntax chage –I no:_of_days username.
[root@faraz fahmed]# chage -I 16 fahmed [root@faraz fahmed]# chage -l fahmed Last password change : Feb 28, 2016 Password expires : Mar 14, 2016 Password inactive : Mar 30, 2016 Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 15 Number of days of warning before password expires : 7
As you can see in above image 15 days (Mar 14, 2016) of password expiry date. Now if password has expired and user will login it will prompt to change password. But if user never logins date passes 16 days (Mar 30, 2016) user account will be locked (inactive)
Set password between minimum number of days by using option –m.
Syntax chage –m no:_of_days username.
[root@faraz fahmed]# chage -m 10 fahmed [root@faraz fahmed]# chage -l fahmed Last password change : Feb 28, 2016 Password expires : Mar 14, 2016 Password inactive : Mar 30, 2016 Account expires : never Minimum number of days between password change : 10 Maximum number of days between password change : 15 Number of days of warning before password expires : 7 [root@faraz fahmed]#
For account expiry date use option –E must have to define the date format like “YYYY-MM-DD”. Syntax chage –E “YYYY-MM-DD” username.
[root@faraz fahmed]# chage -E "2016-04-02" fahmed [root@faraz fahmed]# chage -l fahmed Last password change : Feb 28, 2016 Password expires : Mar 14, 2016 Password inactive : Mar 30, 2016 Account expires : Apr 02, 2016 Minimum number of days between password change : 10 Maximum number of days between password change : 15 Number of days of warning before password expires : 7 [root@faraz fahmed]#
Change/set the password expiry warning message by using option –W.
By default its value is 7. When a user login in to 7 days of expiry, it will start to get warning message about password expiry.
Syntax chage –W no:_of _days username.
[root@faraz fahmed]# chage -W 11 fahmed [root@faraz fahmed]# chage -l fahmed Last password change : Feb 28, 2016 Password expires : Mar 14, 2016 Password inactive : Mar 30, 2016 Account expires : Apr 02, 2016 Minimum number of days between password change : 10 Maximum number of days between password change : 15 Number of days of warning before password expires : 11 [root@faraz fahmed]#
To set the password on next logon forcing the user to change the password by using option –d 0.
Syntax chage –d 0 username.
[root@faraz fahmed]# chage -d 0 fahmed [root@faraz fahmed]# chage -l fahmed Last password change : password must be changed Password expires : password must be changed Password inactive : password must be changed Account expires : Apr 02, 2016 Minimum number of days between password change : 10 Maximum number of days between password change : 15 Number of days of warning before password expires : 11 [root@faraz fahmed]#
As you can see in above example it shows password must be changed in first three entries.
To disable the password aging for a user or you can say set the default/reset setting by using command chage –I -1 –m 0 –M 99999 –E -1 username.
-I -1 is used for set the password inactive never.
-m 0 is used for set password minimum number of days to 0.
-M 99999 is used for password maximum number of days to 99999.
-E -1 is used to set the account expiry never.
(Note: warning number of days remains same as you define in last run command)
[root@faraz fahmed]# chage -I -1 -m 0 -M 99999 -E -1 fahmed [root@faraz fahmed]# chage -l fahmed Last password change : Feb 28, 2016 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 11 [root@faraz fahmed]#
Bonus commands
In the last I want to change my personal information in command line by using command chfn.
Syntax chfn username.
[root@faraz fahmed]# chfn fahmed Changing finger information for fahmed. Name [Faraz Ahmed]: Faraz.Ahmed Office []: abc 123 Office Phone []: 123 Home Phone []: 123 Finger information changed. [root@faraz fahmed]#
To set full name of user by using –f option. Syntax chfn –f “Full Name” username.
[root@faraz fahmed]# chfn -f "Faraz Ahmed" fahmed Changing finger information for fahmed. Finger information changed. [root@faraz fahmed]#
In this article we have learnt how to manage linux account expiry settings using command chage. I hope you have enjoyed this tutorial Please subscribe to our free newsletter. See you again in our next new tutorial and thanks for visiting.
Thanks
