Examples to Manage Linux Password Expiration and Aging Using chage
NAME
chage change user password expiry informationSYNOPSIS
chage [options] [LOGIN]
DESCRIPTION
The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.OPTIONS
TAG | DESCRIPTION |
---|---|
-d, --lastday LAST_DAY | Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area). |
-E, --expiredate EXPIRE_DATE | Set the date or number of days since January 1, 1970 on which the user's account will no longer be accessible. The date may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area). A user whose account is locked must contact the system administrator before being able to use the system again.Passing the number -1 as the EXPIRE_DATE will remove an account expiration date. |
-h, --help | Display help message and exit. |
-I, --inactive INACTIVE | Set the number of days of inactivity after a password has expired before the account is locked. The INACTIVE option is the number of days of inactivity. A user whose account is locked must contact the system administrator before being able to use the system again. Passing the number -1 as the INACTIVE will remove an account's inactivity. |
-l, --list | Show account aging information. |
-m, --mindays MIN_DAYS | Set the minimum number of days between password changes to MIN_DAYS. A value of zero for this field indicates that the user may change his/her password at any time. |
-M, --maxdays MAX_DAYS | Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current day, the user will be required to change his/her password before being able to use his/her account. This occurrence can be planned for in advance by use of the -W option, which provides the user with advance warning.Passing the number -1 as MAX_DAYS will remove checking a password's validity. |
-W, --warndays WARN_DAYS | Set the number of days of warning before a password change is required. The WARN_DAYS option is the number of days prior to the password expiring that a user will be warned his/her password is about to expire. |
EXAMPLES
EXAMPLE-1:Use chage command to list the password aging information of a user
$ chage -l testuser output: Last password change : May 01, 2016 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 15EXAMPLE-2:
Disable password aging for a user
$ chage -I -1 -m 0 -M 99999 -E -1 testuser-I -1 : This will set the “Password inactive” to never
-m 0 : This will set the minimum number of days between password change to 0
-M 99999 : This will set the maximum number of days between password change to 99999
-E -1 : This will set “Account expires” to never.
This will disable the password expiry of a user if it is already enabled.
EXAMPLE-3:
Enable password expiry date of a user
$ chage -M 20 testuser Output Last password change : May 01, 2016 Password expires : May 21, 2017 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 20 Number of days of warning before password expires : 15
EXAMPLE-4:
Set the Account expiry date in the format YYYY-MM-DD
$ chage -E 2017-05-28 output: Last password change : May 01, 2016 Password expires : May 28, 2017 Password inactive : never Account expires : May 28, 2012 Minimum number of days between password change : 0 Maximum number of days between password change : 20 Number of days of warning before password expires : 15EXAMPLE-5:
Set the password expiry warning message
$ chage -W 10 testuser User will start getting warning about the password expiry which is set to 10 days.EXAMPLE-6:
Forcing the users to change the password on next logon
$ chage -d 0 testuser This will reset “Last Password Change” to “Password must be changed”.
In this article let us review how you can use Linux chage command to perform several practical password aging activities including how-to force users to change their password. On debian, you can install chage by executing the following command:# apt-get install chageNote: It is very easy to make a typo on this command. Instead of chage you may end up typing it as change. Please remember chage stands for “change age”. i.e chage command abbreviation is similar to chmod, chown etc.,
1. List the password and its related details for an user
As shown below, any user can execute the chage command for himself to identify when his password is about to expire.Syntax: chage –-list username (or) chage -l username $ chage --list dhinesh Last password change : Apr 01, 2009 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7If user dhinesh tries to execute the same command for user ramesh, he’ll get the following permission denied message.
$ chage --list ramesh chage: permission deniedNote: However, a root user can execute chage command for any user account.
When user dhinesh changes his password on Apr 23rd 2009, it will update the “Last password change” value as shown below.
Please refer to our earlier article: Best Practices and Ultimate Guide For Creating Super Strong Password, which will help you to follow the best practices while changing password for your account.
$ date Thu Apr 23 00:15:20 PDT 2009 $ passwd dhinesh Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully $ chage --list dhinesh Last password change : Apr 23, 2009 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 72. Set Password Expiry Date for an user using chage option -M
Root user (system administrators) can set the password expiry date for any user. In the following example, user dhinesh password is set to expire 10 days from the last password change.Please note that option -M will update both “Password expires” and “Maximum number of days between password change” entries as shown below.
Syntax: # chage -M number-of-days username # chage -M 10 dhinesh # chage --list dhinesh Last password change : Apr 23, 2009 Password expires : May 03, 2009 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 10 Number of days of warning before password expires : 73. Password Expiry Warning message during login
By default the number of days of warning before password expires is set to 7. So, in the above example, when the user dhinesh tries to login on Apr 30, 2009 — he’ll get the following message.$ ssh dhinesh@testingserver dhinesh@testingserver's password: Warning: your password will expire in 3 days4. User Forced to Change Password after Expiry Date
If the password expiry date reaches and user doesn’t change their password, the system will force the user to change the password before the login as shown below.$ ssh dhinesh@testingserver dhinesh@testingserver's password: You are required to change your password immediately (password aged) WARNING: Your password has expired. You must change your password now and login again! Changing password for dhinesh (current) UNIX password: Enter new UNIX password: Retype new UNIX password:5. Set the Account Expiry Date for an User
You can also use chage command to set the account expiry date as shown below using option -E. The date given below is in “YYYY-MM-DD” format. This will update the “Account expires” value as shown below.# chage -E "2009-05-31" dhinesh # chage -l dhinesh Last password change : Apr 23, 2009 Password expires : May 03, 2009 Password inactive : never Account expires : May 31, 2009 Minimum number of days between password change : 0 Maximum number of days between password change : 10 Number of days of warning before password expires : 76. Force the user account to be locked after X number of inactivity days
Typically if the password is expired, users are forced to change it during their next login. You can also set an additional condition, where after the password is expired, if the user never tried to login for 10 days, you can automatically lock their account using option -I as shown below. In this example, the “Password inactive” date is set to 10 days from the “Password expires” value.Once an account is locked, only system administrators will be able to unlock it.
# chage -I 10 dhinesh # chage -l dhinesh Last password change : Apr 23, 2009 Password expires : May 03, 2009 Password inactive : May 13, 2009 Account expires : May 31, 2009 Minimum number of days between password change : 0 Maximum number of days between password change : 10 Number of days of warning before password expires : 77. How to disable password aging for an user account
To turn off the password expiration for an user account, set the following:
- -m 0 will set the minimum number of days between password change to 0
- -M 99999 will set the maximum number of days between password change to 99999
- -I -1 (number minus one) will set the “Password inactive” to never
- -E -1 (number minus one) will set “Account expires” to never.
# chage -m 0 -M 99999 -I -1 -E -1 dhinesh # chage --list dhinesh Last password change : Apr 23, 2009 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7