# User Account and Password Expiration in Linux [The `chage` command](https://man7.org/linux/man-pages/man1/chage.1.html), an abbreviation for “change age,” in Linux is used to view and modify user password expiry information. This command is particularly useful for system administrators who need to manage password policies across users in a Linux environment. It is important to keep an eye on the people who are using the servers and make sure that any accounts that are not needed are closed down or locked and passwords expire. By using `chage`, administrators can enforce security policies requiring users to change their passwords after a certain period, thus enhancing the overall system security.
💡
The chage command is restricted to the root user, except for the -l option, which may be used by an unprivileged user to determine when their password or account is due to expire.
## Hands-on Exercise 1. To view the current password expiry information for a user, use: ```bash sudo chage -l username ``` ![](https://i.imgur.com/mPPt0sK.png align="center") * `-l, --list` - shows account aging information. This will display various information like the last password change date, password expiry date, password inactive period, account expiry date, etc. 2. To set the maximum number of days during which a password is valid: ```bash sudo chage -M days username ``` ![](https://i.imgur.com/FuW9xNX.png align="center") This allows to ensure that a user must change their password every 30 days. 3. To set a minimum number of days between password changes: ```bash sudo chage -m days username ``` ![](https://i.imgur.com/C9W0lyO.png align="center") Following this command, once the user ‘karla’ changes its password, she will have to wait for a minimum of 20 days before they are allowed to change it again. 4. To start warning a user N days before their password expires, use: ```bash sudo chage -W days username ``` ![](https://i.imgur.com/eUjHcfu.png align="center") 5. To ensure an account is automatically disabled after a certain date, for example, at the end of a contract or project, set: ```bash sudo chage -E YYYY-MM-DD username ``` ![](https://i.imgur.com/p37CLqF.png align="center") After the specified date, the user ‘karla’ will not be able to access her account. 6. To set the number of days of inactivity after a password has expired before the account is locked, use the `-I` option. For example, to lock the ‘karla’ account if its password is not changed within 10 days after its expiry, use: ```bash sudo chage -I 10 karla ``` ![](https://i.imgur.com/3TifW30.png align="center") This policy ensures that inactive accounts are locked after a certain period, providing an additional layer of security. 7. The `chage` command also has an *interactive mode*, which can be used by not specifying any options. In this mode, the command will prompt you for all the information it needs. To enter the interactive mode, use: ```bash sudo chage karla ``` ![](https://i.imgur.com/D5wvRi2.png align="center") 8. To remove the password expiry for a certain user, use the `-M` option with a value of `-1`: ```bash sudo chage -M -1 username ``` ![](https://i.imgur.com/HmTi4py.png align="center") 9. To remove account expiration for a certain user, similar to password expiration, use the `-E` option and passing `-1` as the value: ```bash sudo chage -E -1 username ``` ![](https://i.imgur.com/rvByLsA.png align="center") ## Exit Codes [The `chage` command](https://man7.org/linux/man-pages/man1/chage.1.html#:~:text=EXIT%20VALUES%20%C2%A0%20%C2%A0%20%C2%A0%20%C2%A0%20top) exits with the following values: * 0 - success; ![](https://i.imgur.com/OUxiq1i.png align="center") * 1 - permission denied; ![](https://i.imgur.com/S7f8wK3.png align="center") * 2 - invalid command syntax; ![](https://i.imgur.com/oJb5Cyf.png align="center") * 15 - cannot find the shadow password file ## The `passwd` Command There is another command that is not related to `chage` command. It is a `passwd` command which changes passwords for user accounts. Its primary use is for changing passwords rather than managing detailed aspects of password policies. It's the command used for regular password updates or if an account's password needs to be reset for security reasons. A normal user may only change the password for their own account, while the superuser may change the password for any account. 1. To lock a certain user, use: ```bash sudo passwd -l username ``` ![](https://i.imgur.com/hYpSamT.png align="center") 2. To view the password status of the named account, use: ```bash sudo passwd -S username ``` ![](https://i.imgur.com/K9b2Hyp.png align="center") 3. To unlock a certain user, use: ```bash sudo passwd -u username ``` ![](https://i.imgur.com/JEukBaW.png align="center") ## Conclusion The `chage` command is essential for maintaining security and compliance within a Linux environment. By enforcing regular password changes and setting minimum and maximum password ages, organizations can significantly reduce the risks associated with stale or compromised passwords. Additionally, the ability to disable accounts automatically helps manage access for temporary users or contractors, ensuring that only current, authorized users can access system resources. While `passwd` plays a critical role in password management, its capabilities regarding the direct setting of account and password expiration dates are limited. For detailed management of password and account expiration policies, including setting specific expiration dates, use the `chage` command for password-related settings and `usermod` for account expiration. These tools offer the granularity and control needed for effective user account management and security policy enforcement. ## References: 1. [chage(1) — Linux manual page](https://man7.org/linux/man-pages/man1/chage.1.html) 2. [Linux Crash Course - User Account & Password Expiration](https://www.youtube.com/watch?v=UYBPpaWUT64) 3. [chage Command in Linux with Examples](https://www.linuxcapable.com/chage-command-in-linux/)