User Account and Password Expiration in Linux

Photo by Yura Fresh on Unsplash

User Account and Password Expiration in Linux

The chage command, an abbreviation for “change age,” in Linux is used to view and modify user password expiry information. This command is particularly useful for system administrators who need to manage password policies across users in a Linux environment. It is important to keep an eye on the people who are using the servers and make sure that any accounts that are not needed are closed down or locked and passwords expire. By using chage, administrators can enforce security policies requiring users to change their passwords after a certain period, thus enhancing the overall system security.

💡
The chage command is restricted to the root user, except for the -l option, which may be used by an unprivileged user to determine when their password or account is due to expire.

Hands-on Exercise

  1. To view the current password expiry information for a user, use:

     sudo chage -l username
    

    • -l, --list - shows account aging information. This will display various information like the last password change date, password expiry date, password inactive period, account expiry date, etc.
  2. To set the maximum number of days during which a password is valid:

     sudo chage -M days username
    

    This allows to ensure that a user must change their password every 30 days.

  3. To set a minimum number of days between password changes:

     sudo chage -m days username
    

    Following this command, once the user ‘karla’ changes its password, she will have to wait for a minimum of 20 days before they are allowed to change it again.

  4. To start warning a user N days before their password expires, use:

     sudo chage -W days username
    

  5. To ensure an account is automatically disabled after a certain date, for example, at the end of a contract or project, set:

     sudo chage -E YYYY-MM-DD username
    

    After the specified date, the user ‘karla’ will not be able to access her account.

  6. To set the number of days of inactivity after a password has expired before the account is locked, use the -I option. For example, to lock the ‘karla’ account if its password is not changed within 10 days after its expiry, use:

     sudo chage -I 10 karla
    

    This policy ensures that inactive accounts are locked after a certain period, providing an additional layer of security.

  7. The chage command also has an interactive mode, which can be used by not specifying any options. In this mode, the command will prompt you for all the information it needs. To enter the interactive mode, use:

     sudo chage karla
    

  8. To remove the password expiry for a certain user, use the -M option with a value of -1:

     sudo chage -M -1 username
    

  9. To remove account expiration for a certain user, similar to password expiration, use the -E option and passing -1 as the value:

     sudo chage -E -1 username
    

Exit Codes

The chage command exits with the following values:

  • 0 - success;

  • 1 - permission denied;

  • 2 - invalid command syntax;

  • 15 - cannot find the shadow password file

The passwd Command

There is another command that is not related to chage command. It is a passwd command which changes passwords for user accounts. Its primary use is for changing passwords rather than managing detailed aspects of password policies. It's the command used for regular password updates or if an account's password needs to be reset for security reasons. A normal user may only change the password for their own account, while the superuser may change the password for any account.

  1. To lock a certain user, use:

     sudo passwd -l username
    

  2. To view the password status of the named account, use:

     sudo passwd -S username
    

  3. To unlock a certain user, use:

     sudo passwd -u username
    

Conclusion

The chage command is essential for maintaining security and compliance within a Linux environment. By enforcing regular password changes and setting minimum and maximum password ages, organizations can significantly reduce the risks associated with stale or compromised passwords. Additionally, the ability to disable accounts automatically helps manage access for temporary users or contractors, ensuring that only current, authorized users can access system resources.

While passwd plays a critical role in password management, its capabilities regarding the direct setting of account and password expiration dates are limited. For detailed management of password and account expiration policies, including setting specific expiration dates, use the chage command for password-related settings and usermod for account expiration. These tools offer the granularity and control needed for effective user account management and security policy enforcement.

References:

  1. chage(1) — Linux manual page

  2. Linux Crash Course - User Account & Password Expiration

  3. chage Command in Linux with Examples