How to Setup User Password Expiration in Linux

By default, most Linux distributions do not enable password aging. This means passwords do not expire and is it possible for a user to have the same password indefinitely. This situation is not secure. For security reasons, it is advisable to require users to change their passwords periodically.

Password aging is a mechanism that allows the system to enforce a certain lifetime for passwords. The chage command is used to modify password aging.

# chage [options] username

Here are the common options used with the chage command:

Below are few example on how to use chage command:-

a) Displays the help information

Just type chage command

[root@myopensos ~]# chage
Usage: chage [options] user

Options:
-d, –lastday LAST_DAY    set last password change to LAST_DAY
-E, –expiredate EXPIRE_DATE    set account expiration date to EXPIRE_DATE
-h, –help            display this help message and exit
-I, –inactive INACTIVE    set password inactive after expiration
to INACTIVE
-l, –list            show account aging information
-m, –mindays MIN_DAYS    set minimum number of days before password
change to MIN_DAYS
-M, –maxdays MAX_DAYS    set maximim number of days before password
change to MAX_DAYS
-W, –warndays WARN_DAYS    set expiration warning days to WARN_DAYS

List the password and its related details for an user

b) Show account aging information

Just type chage -l username or chage –list username

[root@myopensos ~]# chage -l techkaki
Last password change                    : Aug 19, 2010
Password expires                    : never
Password inactive                    : never
Account expires                        : never
Minimum number of days between password change        : 0
Maximum number of days between password change        : 99999
Number of days of warning before password expires    : 7

c) Set Password Expiry Date

Example, user techkaki password is set to expire 3 days from the last password change.

Note: both “Password expires” and “Maximum number of days between password change” entries as shown below.

[root@myopensos ~]# chage -M 3 techkaki
[root@myopensos ~]# chage -l techkaki
Last password change                    : Aug 19, 2010
Password expires                    : Aug 22, 2010
Password inactive                    : never
Account expires                        : never
Minimum number of days between password change        : 0
Maximum number of days between password change        : 3
Number of days of warning before password expires    : 7

d) To disable password aging for an user account

To turn off the password expiration for an user account, set the following:

• -m 0 will set the minimum number of days between password change to 0
• -M 99999 will set the maximum number of days between password change to 99999
• -I -1 (number minus one) will set the “Password inactive” to never
• -E -1 (number minus one) will set “Account expires” to never.

[root@myopensos ~]# chage -m 0 -M 99999 -I -1 techkaki
[root@myopensos ~]# chage –list techkaki
Last password change                    : Aug 19, 2010
Password expires                    : never
Password inactive                    : never
Account expires                        : never
Minimum number of days between password change        : 0
Maximum number of days between password change        : 99999
Number of days of warning before password expires    : 7

e) To set Account Expiry Date for an user

With option -E, You can set the account expiry date

[root@myopensos ~]# chage -E “2010-08-20″ techkaki
[root@myopensos ~]# chage -l techkaki
Last password change                    : Aug 19, 2010
Password expires                    : never
Password inactive                    : never
Account expires                        : Aug 20, 2010
Minimum number of days between password change        : 0
Maximum number of days between password change        : 99999
Number of days of warning before password expires    : 7

If you want to know more on how to use chage command, please type man chage to view the manual.