- How to set user password expirations on Linux
- Training & certification
- View password age
- How to Manage User Password Expiration and Aging in Linux
- If You Appreciate What We Do Here On TecMint, You Should Consider:
- 🔑 Настройка политики истечения срока действия пароля пользователей в Linux
- Как работает проверка пароля
- Упражнение 1. Принудительная смена пароля при первом входе в систему
- Упражнение 2: изменение политики паролей пользователя
- Упражнение 3: установка срока действия учетной записи пользователя на X дней
- Упражнение 4: блокировка и разблокировка учетной записи пользователя
- Упражнение 5: установка политики паролей для всех пользователей
- Change expiry and enter new UNIX password in Linux
- Listing password aging for user
- Change the number of days to expire
- Change the password to never expire
- Change account expiry to specific date
- Top 17 passwd and chage Command Examples in Linux
- passwd and chage Examples
- 1. Change root Password on Ubuntu
- 2. Change User Account Password
- 3. Expire User Password after 45 days
- 4. User Password Expiration Warning
- 5. Lock User Account on Ubuntu
- 6. Unlock User Account on Linux Machine
- 7. Check User Password Policy
- 8. Check User Password Status
- 9. Force User to Change His Password After First Login
- 10. Forcefully expire User Password
- 11. Disable User Account Expiry
- 12. Remove User Password
- 13. Set User Account Expiry
- 14. Never allow User Password to become Inactive
- 15. Force User Account to Lock after 7 days of inactivity
- 16. Set Number of days(Age) between User Password Change
- 17. Check other options with passwd and chage command
How to set user password expirations on Linux
Posted: July 5, 2022 |
User accounts created on Red Hat Enterprise Linux (RHEL) servers are by default assigned 99,999 days until their password expires. The Center for Internet Security (CIS) provides some advice on controls for hardening systems, and one of these is setting password expirations to 365 days or less. The security team usually enforces this setting, but system administrators must ensure this is done.
Training & certification
Use the /etc/login.defs file to set password aging policies. All new users inherit the definitions set in login.defs . You’ll use the chage command to manage password-aging polices.
In /etc/login.defs , you can adjust the following parameters to reflect your security policy or control:
- PASS_MAX_DAYS: How many days the password is active before it expires.
- PASS_MIN_DAYS: How many days a password must be active before it can be changed by a user.
- PASS_WARN_AGE: The number of days a warning is issued to the user before an impending password expiry.
The following example modifies your policy such that a password expires after 90 days and cannot be changed until it’s been active for seven days, and users are notified five days prior to password expiry:
Changes made to /etc/login.defs affect only new users created on the system. For existing users, you must use the chage command.
You can set the same configuration for existing users with:
View password age
To view the password age for a user, use the —list option ( -l for short) with the chage command. For example, to view password information for user1:
How to Manage User Password Expiration and Aging in Linux
System administration involves numerous tasks including managing users/groups and under user management, some of the minor tasks involved are adding, modifying, suspending, or deactivating user accounts, and many more.
This article will explain one of the critical user account management functions, how to set or change user password expiration and aging in Linux using the chage command.
The chage command is used to modify user password expiry information. It enables you to view user account aging information, change the number of days between password changes and the date of the last password change.
Once you have set password expiry and aging information, this information is used by the system to determine when a user must change his/her password. Normally, companies or organizations have certain security polices that demand users to change passwords regularly: this can be a simple way to enforce such policies as we explained below.
To view a user account aging information, use the -l flag as shwon.
View User Password Aging Information
To set the date or number of days (since January 1, 1970) when the password was last changed, use the -d flag as follows.
Next, you can also set the date or number of days (since January 1, 1970) on which the user’s account will no longer be accessible by using the -E switch as shown in the following command.
In this case, once a user’s account is locked, he/she is required to contact the system administrator before being able to use the system again.
Then, the -W option allows you to set the number of days of warning before a password change is required. Considering the command below, the user ravi will be warned 10 days prior to his password expiring.
In addition, you can set the number of days of inactivity after a password has expired before the account is locked. This example means that after user ravi’s password expires, his account will be inactive for 2 days before it is locked.
When the account becomes inactive, he must contact the system administrator before being able to use the system again.
For more information, refer to the chage man page.
Note that you can also change a user’s password expiration and aging information using the usermod command, which is actually intended for modifying a user account.
That’s it for now. Hoping you find this article informative and useful, if you have any questions to ask, use the feedback form below.
If You Appreciate What We Do Here On TecMint, You Should Consider:
TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.
If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.
We are thankful for your never ending support.
🔑 Настройка политики истечения срока действия пароля пользователей в Linux
Как работает проверка пароля
Когда пользователь пытается войти в систему, система ищет запись о пользователе в файле /etc/shadow, объединяет соль с незашифрованным паролем, который был введен, и шифрует все это , используя указанный алгоритм хеширования. Е
сли результат соответствует зашифрованному хешу, пользователь вводит правильный пароль.
Если результат не соответствует зашифрованному хэшу, пользователь ввел неправильный пароль и попытка входа не удастся.
- Принудительная смена пароля при первом входе в систему.
- Принудительная смена пароля каждые X дней.
Упражнение 1. Принудительная смена пароля при первом входе в систему
Для этого, используйте команду:
Если вы войдете в систему как user1, вам будет предложено изменить пароль.
Теперь вы можете войти с обновленным паролем.
Упражнение 2: изменение политики паролей пользователя
Давайте теперь установим политику паролей, чтобы требовать новый пароль каждые 90 дней.
Упражнение 3: установка срока действия учетной записи пользователя на X дней
Мы установим срок действия учетной записи user1 на 120 дней с текущего дня.
Получим дату и время на 120 дней вперед от текущей:
Убедитесь, что срок действия учетной записи успешно установлен:
Упражнение 4: блокировка и разблокировка учетной записи пользователя
Блокировка учетной записи не позволяет пользователю проходить аутентификацию по паролю в вашей системе.
Команда usermod может использоваться для блокировки учетной записи с опцией -L.
Как администратор, вы можете заблокировать и прекратить действие учетной записи с помощью одной команды usermod.
Это идеально подходит для уволенных сотрудников.
Упражнение 5: установка политики паролей для всех пользователей
Давайте настроим политику для всех пользователей, с истечением срока действия паролей на 90 дней с текущей даты.
Linux is one of the most popular operating systems for servers, and Linux also offers a great desktop OS. However, there are some things that can be difficult to understand when you’re new to Linux. One example is passwords expiry – what does this mean? How do you change the expiration date for your password in Linux? How do you change user password, UNIX password, and use the passwd command?
If you’re not in IT services, or sidebar not a techie, the Linux change password command and coding the expiry date can all seem overwhelming. If you can barely remember your username, setting expiration dates is the last thing on your mind. But, Linux change account passwords settings allow you to keep yours and others users in Linux secure. By using the root user and the user root password and the command line chage.
In this article, we’ll answer these questions and more. Keep reading to learn more.
Table of Contents
Change expiry and enter new UNIX password in Linux
“chage” is the command to list & change the user password aging information for the change password user account. Use the passwd command chage to change the number of days between user password expiry and the current date. It’s easy to access the chage command line to utilize it in Linux. Think of it as the account password change button in the shadow file.
The change the password notification will be sent and passwords will be set to expire on the date you specify. The valid range is from 0 (today) up until 90 years in future, and if it’s less than today then a warning message pops-up again reminding that the change user password in Linux has already expired.
Here’s a real quick rundown on how to show the expiration date of a particular linux user account. Here are the different settings:
- Listing password aging for user and user accounts
- Change the number of days to expire for the alert to change user password on the account
- Change the password to never expire so you have control and can change your own password
- Change account expiry to a specific date to change the password
Let’s explore how to use this command in the terminal!
Listing password aging for user
chage command with option -l shows the expiry details of a specific user. This sudo command allows users to plan on a new password the next time the user’s password is set to expire.
In this example, the user’s last new password change was on Dec 25th 2017 and it expires in 90 days. The user will be notified within login 7 days before expiry.
Change the number of days to expire
Use -M option and provide the number of days to expiry. You can see in the example below, the user can change to their new password the next time it’s required, in 180 days.
Some of the reasons you might want to change the number of days to expiry are to enforce a more stringent new password policy, to force the user into changing their passwords on time, to take over the account with the sysadmin, doubling back to the root user, etc.
Change the password to never expire
You can use chage to make the user’s password never expire with the below options. This sets the user password/UNIX password to never expire. Some reasons why you may want to switch to the password never expiring are if you’re sharing the account with a co-worker or if it is for your personal use.
This way neither one of you will be left in the lurch if you forget your password. You simply manage the root access passwd and type passwd command to change it yourself when needed.
You can also set the number of days to change and how many warnings you want before it expires with chage. Be careful to keep track of your passwords and to set the correct number of days for your user password.
This command will create an expiration date that is in never part, so it won’t expire at all: PASSWORD_MAXAGE=never chage -M 0 username . A maximum password age can be specified as a time span with units such (years) or (-m):
Option one: -M199200 — this will set the Linux password to never expire and then change user password expires attribute from “never” (default)to NEVER (-1201). The screen looks like this.
Change account expiry to specific date
You can set the user password commands or UNIX password and the entire account distribution to expire on a specific date or +N number of days from the current date.
Some of the reasons this is helpful are when you are testing a potential new employee and whether the information they gave is accurate, and want the user password to expire after the test window is done. When the file is set to expire, or when an employee is terminated, etc shadow.
All of this is done with one command: ot@centos01
] #chage -E +21 demouser (type in your password and answer y)[/size][/li][line break=true
To set an expiration date, use: chage username +N days from now.
Here are the examples using chage -E option.
Top 17 passwd and chage Command Examples in Linux
Table of Contents
In this article, I will take you through top 10 passwd and chage Command Examples to Manage User Password Expiration and Aging in Linux. passwd tool is generally used to change user account password and chage command are usually used for User account expiration and aging operations. Most of the time you will see both are used together to perform User Account Management Tasks.
passwd and chage Examples
1. Change root Password on Ubuntu
If you are planning to change your root password, you can do that by simple running passwd command as shown. By default, passwd with no arguments will take currently logged in user as user account whose password needs to be changed. In our case, since we are logged in with root account, so root account password will be changed.
2. Change User Account Password
If you want to change user john account password, you can do that by simply running passwd john command.
3. Expire User Password after 45 days
If you want to expire User John password after 45 days, then you need to run chage -M 45 John command to perform this task.
Check if the expiration day is set or not.
4. User Password Expiration Warning
In case you want to provide warning to user for his password expiration, you can do that by running chage -W 15 John command. This command will start providing warning to user before 15 days of Password expiration so that User will be notified that his password is going to expire after 15 days.
Check if warning is set to 15 days or not for user john.
5. Lock User Account on Ubuntu
If you want to lock user John account, you can do that by using passwd -l john command.
6. Unlock User Account on Linux Machine
If you want to unlock user John account, you can do that by using passwd -u john command.
7. Check User Password Policy
To list out User John current password policy, you need to use chage -l john command.
8. Check User Password Status
Sometimes you might want to check status of password for a given account. You can do that by using -S option with passwd command. As you can see from below output, User John password is currently set using SHA512 encryption.
9. Force User to Change His Password After First Login
If you want user to force change his password after first login, you can do that by using chage -d 0 john command.
Check if the forceful password change is set or not in User john password policy.
10. Forcefully expire User Password
If you want to forcefully expire User john password, you can do that by using below command.
11. Disable User Account Expiry
If you want to disable User John account expiry, you can do that by executing chage -E -1 John command.
Check if the account expiry is disabled or not. Notice the output never in Account Expires, this means account expire is successfully set to never.
12. Remove User Password
Sometimes you might get into a scenario where you need to remove User Password. That can be achieved by using -d option with passwd command as shown below for John.
13. Set User Account Expiry
If you decided to set user John account expiry on 28th May 2020, then you can do that by using chage -E 2020-05-28 command.
Check if the expiry is set for User John or not.
14. Never allow User Password to become Inactive
If you want to set Password inactive to never for user John, you can do that by using chage -I -1 john command.
Check if Password Inactive is set to never.
15. Force User Account to Lock after 7 days of inactivity
If you want User account to be forcefully locked after 7 days of inactivity, then you can use chage -I 7 john command. This command basically means lock user john account if he does not use his account for 7 days.
16. Set Number of days(Age) between User Password Change
Use below command to set Minimum number of days between password change to 0 for User John.
Verify and confirm if the minimum number of days between password change is set to 0 or not.
17. Check other options with passwd and chage command
To check all the options available with passwd command, you can run passwd —help command and check.
To check all the options available with chage command, you can use chage —help command and check.
- linux change password command
- ubuntu change password
- linux change user password
- linux unlock account
- ubuntu change user password