How to Manage Linux Password Expiration and Aging Using chage
The command name ‘chage’ is an acronym for ‘change age’. This command is used to change the user’s password’s aging / expiry information. It is best practice to recommends that users to keep changing the passwords at regular intervals. But most of the time developers and other users won’t change the password of Linux systems. It is system administrator responsibility to find the way to force developers or other user to change the their password. It’s is best way to maintain the policy to forcing users for change their password.
Any user can execute this command with the ‘-l’ option to view their password and aging information. No other unauthorised users can view the password’s aging/expiry information.
As the root user, you can execute this command to modify the aging information.
In this post, we will show you how to manage linux password expiration and aging using change.
Chage command syntax
chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] [-l List] username
Please remember chage stands for “change age”. i.e chage command abbreviation is similar to chmod, chown etc.,
As shown below, any user can execute the chage command for himself to identify when his password is about to expire.
Syntax: chage –-list username (or) chage -l username
[ghansham@ghanshammahajan ~]$ chage -l ghansham Last password change : Oct 10, 2016 Password expires : Nov 24, 2016 Password inactive : never Account expires : never Minimum number of days between password change : 7 Maximum number of days between password change : 45 Number of days of warning before password expires : 14
If other user tries to execute the same command for user ghansham, It will be show below following permission denied error :
[ghansham@ghanshammahajan ~]$ chage -l mahajan chage: Permission denied.
Set Password Expiry Date for an user using chage option -M
You need to set a password expiry date for all users for the purpose of better security. To set password expiry date for any user is only done by system administrator (root user). Once you enable password expiry date for a user, the user will be forced to change their password at the time of the next login after the expiry date.
In this example, user ghansham password set to expiry in 90 days from the last password change.
Before change password expiry date: (Here you can see password will be change after 45 days and date is Nov 24, 2016)
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 10, 2016 Password expires : Nov 24, 2016 Password inactive : never Account expires : never Minimum number of days between password change : 7 Maximum number of days between password change : 45 Number of days of warning before password expires : 14
Option –M for set maximim number of days before password’ change to MAX_DAYS
[root@ghanshammahajan ~]# chage -M 90 ghansham
After change password expiry date : (Here you can see password will be change after 90 days and date is now change to Jan 08, 2017)
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 10, 2016 Password expires : Jan 08, 2017 Password inactive : never Account expires : never Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires : 14
Set the Account Expiry Date for an User
You can also use chage command to set the account expiry date as shown below using option -E. The date given below is in “YYYY-MM-DD” format. This will update the “Account expires” value as shown below. To set password expiry date for any user is only done by system administrator (root user).
Before change Account expiry date: (Here you can see Account expiry date is not set, its showing never expiry of account)
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 10, 2016 Password expires : Jan 08, 2017 Password inactive : never Account expires : never Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires : 14
Option –E for set account expiration date to EXPIRE_DATE (“YYYY-MM-DD”)
[root@ghanshammahajan ~]# chage -E "2016-12-31" ghansham
After change account expiry date : (Here you can see account never expiry change to expire on Dec 31, 2016)
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 10, 2016 Password expires : Jan 08, 2017 Password inactive : never Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires : 14
Force the user account to be locked after X number of inactivity days
If user password is expired then users are failed to change it during their next login. You can also set an additional condition , if password is expired and user never tried to login for 10 days, then system administrator can automatically lock their account using option –I. To set password inactive date for any user is only done by system administrator (root user).
Once an account is locked, only system administrators will be able to unlock it.
Before change Password Inactive date: (Here you can see password inactive date is not set, its showing never inactive of account)
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 10, 2016 Password expires : Jan 08, 2017 Password inactive : never Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires : 14
Option –I for set password inactive after expiration to INACTIVE
[root@ghanshammahajan ~]# chage -I 10 ghansham
After change password inactive date : (Here you can see password inactive set never inactive to Jan 18, 2017). Please note password inactive is refer the password expiry date to set the password inactive date.
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 10, 2016 Password expires : Jan 08, 2017 Password inactive : Jan 18, 2017 Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires : 14
Password Expiry Warning message during login
By default, password expiry warning value is set to 7. So, when a user logs in prior to 7 days of expiry, they will start getting warning about the looming password expiry. We have already set the 14 days for warning before password expiry. If you want to change it to 10 days, you can do it as follows: To set password expiry warning days for any user is only done by system administrator (root user).
Before change warning days before password expiry: (Here you can see password warning is set to 14 days)
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 10, 2016 Password expires : Nov 09, 2016 Password inactive : Nov 19, 2016 Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 25 Number of days of warning before password expires : 14
Option –W for set expiration warning days to WARN_DAYS
[root@ghanshammahajan ~]# chage -W 10 ghansham
After change warning days before password expiry: (Here you can see warning before password expiry will be change to 10 days).
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 10, 2016 Password expires : Nov 09, 2016 Password inactive : Nov 19, 2016 Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 25 Number of days of warning before password expires : 10
When the user ghansham tries to login on Oct 28, 2016 — he’ll get the following message.
login as: ghansham ghansham@ghanshammahajan's password: Warning: your password will expire in 8 days
Forcing the users to change the password on next logon
When you create a new user account, you can set it to force the user to change the password when they login for the first time as follows: To set password forcing change for any user is only done by system administrator (root user).
Before forcing the user to change the password on next login :
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 10, 2016 Password expires : Nov 09, 2016 Password inactive : Nov 19, 2016 Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 25 Number of days of warning before password expires : 10
Option –d for set date of last password change to LAST_DAY
By setting it to zero, you are going to force user to change password upon first login.
[root@ghanshammahajan ~]# chage -d 0 ghansham
After make setting to forcing the password change the output will show like below :
[root@ghanshammahajan ~]# chage -l ghansham Last password change : password must be changed Password expires : password must be changed Password inactive : password must be changed Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 25 Number of days of warning before password expires : 10
If user login going to login then system will force the user to change the password before the login as shown below.
login as: ghansham ghansham@10.5.4.159's password: You are required to change your password immediately (root enforced) Changing password for ghansham. (current) UNIX password: New password: Retype new password:
After changing the password the user password information update in the system and it’s show like below :
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 28, 2016 Password expires : Nov 22, 2016 Password inactive : Dec 02, 2016 Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 25 Number of days of warning before password expires : 10
You can also mentioned the date for last password change :
Before changed the last password date output is like below :
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 27, 2016 Password expires : Nov 21, 2016 Password inactive : Dec 01, 2016 Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 25 Number of days of warning before password expires : 10
Option –d for set date of last password change to LAST_DAY (“YYYY-MM-DD”)
[root@ghanshammahajan ~]# chage -d "2016-10-25" ghansham
After change the last password date all the parameter adjust as per the last password change date :
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 25, 2016 Password expires : Nov 19, 2016 Password inactive : Nov 29, 2016 Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 25 Number of days of warning before password expires : 10
Set minimum number of days between password changes
Before set the minimum number of days between password change : (Here you can see minimum number of days between password change is 7 days means if user has changed the password now then he need to wait for 7 days for change password. To set minimum number of days between password change days for any user is only done by system administrator (root user).
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 25, 2016 Password expires : Nov 19, 2016 Password inactive : Nov 29, 2016 Account expires : Dec 31, 2016 Minimum number of days between password change : 7 Maximum number of days between password change : 25 Number of days of warning before password expires : 10
Option –m for set minimum number of days before password change to MIN_DAYS
[root@ghanshammahajan ~]# chage -m 5 ghansham
Here we have set the minimum number of days before password change is 5 days.
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 25, 2016 Password expires : Nov 19, 2016 Password inactive : Nov 29, 2016 Account expires : Dec 31, 2016 Minimum number of days between password change : 5 Maximum number of days between password change : 25 Number of days of warning before password expires : 10
If you are trying to change the password then it will show the error like below :
[ghansham@ghanshammahajan ~]$ passwd Changing password for user ghansham. Changing password for ghansham. (current) UNIX password: You must wait longer to change your password passwd: Authentication token manipulation error
Disable password aging for an user account
To turn off the password expiration for an user account, set the following:
Before turn off the password expiration for an user account the output is like below : To set disable password aging for any user is only done by system administrator (root user).
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 25, 2016 Password expires : Nov 19, 2016 Password inactive : Nov 29, 2016 Account expires : Dec 31, 2016 Minimum number of days between password change : 5 Maximum number of days between password change : 25 Number of days of warning before password expires : 10
Option –l Password Inactive to -1
Option –m Minimum Password Age to 0
Option –M Maximum Password Age to 99999
Option –E Account Expiration Date to -1
[root@ghanshammahajan ~]# chage -m 0 -M 99999 -I -1 -E -1 ghansham
Now, you can see all the parameter change as per the mentioned above command and all the option showing never.
[root@ghanshammahajan ~]# chage -l ghansham Last password change : Oct 25, 2016 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 10
To set default password expiry for all new users :
As a system administrator, it’s is most important security hardening for make password expiration automation for all the users. we have a file called /etc/login.defs which have default password policy for users. Some times we have to change the password policy according to the organization’s user policy, like minimum password length, password expiration period, etc.
When useradd command used a user is created and then useradd binary now proceeds with the process of user creation and goes to the /etc/login.defs file to get following values from the file :
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
#PASS_MAX_DAYS 45
#PASS_MIN_DAYS 7
#PASS_MIN_LEN 8
#PASS_WARN_AGE 14