≡ Menu

7 Examples to Manage Linux Password Expiration and Aging Using chage

Linux Chage Password Expiration and Aging
Photo Courtesy: mattblaze

Best practice recommends that users keep changing the passwords at a regular interval. But typically developers and other users of Linux system won’t change the password unless they are forced to change their password.
 
It’s the system administrators responsibility to find a way to force developers to change their password. Forcing users to change their password with a gun on their head is not an option!. While most security conscious sysadmins may be even tempted to do that.
 
In this article let us review how you can use Linux chage command to perform several practical password aging activities including how-to force users to change their password.

On debian, you can install chage by executing the following command:

# apt-get install chage

 
Note: It is very easy to make a typo on this command. Instead of chage you may end up typing it as change. Please remember chage stands for “change age”. i.e chage command abbreviation is similar to chmod, chown etc.,

1. List the password and its related details for an user

As shown below, any user can execute the chage command for himself to identify when his password is about to expire.

Syntax: chage –-list username (or) chage -l username

$ chage --list dhinesh
Last password change                                    : Apr 01, 2009
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

 
If user dhinesh tries to execute the same command for user ramesh, he’ll get the following permission denied message.

$ chage --list ramesh
chage: permission denied

 
Note: However, a root user can execute chage command for any user account.
 
When user dhinesh changes his password on Apr 23rd 2009, it will update the “Last password change” value as shown below.
 
Please refer to our earlier article: Best Practices and Ultimate Guide For Creating Super Strong Password, which will help you to follow the best practices while changing password for your account.

$ date
Thu Apr 23 00:15:20 PDT 2009

$ passwd dhinesh
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

$ chage --list dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

2. Set Password Expiry Date for an user using chage option -M

Root user (system administrators) can set the password expiry date for any user. In the following example, user dhinesh password is set to expire 10 days from the last password change.
 
Please note that option -M will update both “Password expires” and “Maximum number of days between password change” entries as shown below.

Syntax: # chage -M number-of-days username

# chage -M 10 dhinesh

# chage --list dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : May 03, 2009
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10
Number of days of warning before password expires       : 7

3. Password Expiry Warning message during login

By default the number of days of warning before password expires is set to 7. So, in the above example, when the user dhinesh tries to login on Apr 30, 2009 — he’ll get the following message.

$ ssh dhinesh@testingserver
dhinesh@testingserver's password:
Warning: your password will expire in 3 days

4. User Forced to Change Password after Expiry Date

If the password expiry date reaches and user doesn’t change their password, the system will force the user to change the password before the login as shown below.

$ ssh dhinesh@testingserver
dhinesh@testingserver's password:

You are required to change your password immediately (password aged)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for dhinesh
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:

5. Set the Account Expiry Date for an User

You can also use chage command to set the account expiry date as shown below using option -E. The date given below is in “YYYY-MM-DD” format. This will update the “Account expires” value as shown below.

# chage -E "2009-05-31" dhinesh

# chage -l dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : May 03, 2009
Password inactive                                       : never
Account expires                                         : May 31, 2009
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10
Number of days of warning before password expires       : 7

6. Force the user account to be locked after X number of inactivity days

Typically if the password is expired, users are forced to change it during their next login. You can also set an additional condition, where after the password is expired, if the user never tried to login for 10 days, you can automatically lock their account using option -I as shown below. In this example, the “Password inactive” date is set to 10 days from the “Password expires” value.
 
Once an account is locked, only system administrators will be able to unlock it.

# chage -I 10 dhinesh

# chage -l dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : May 03, 2009
Password inactive                                       : May 13, 2009
Account expires                                         : May 31, 2009
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10
Number of days of warning before password expires       : 7

7. How to disable password aging for an user account

To turn off the password expiration for an user account, set the following:

  • -m 0 will set the minimum number of days between password change to 0
  • -M 99999 will set the maximum number of days between password change to 99999
  • -I -1 (number minus one) will set the “Password inactive” to never
  • -E -1 (number minus one) will set “Account expires” to never.
# chage -m 0 -M 99999 -I -1 -E -1 dhinesh

# chage --list dhinesh
Last password change                                    : Apr 23, 2009
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

 
This article was written by Dhineshkumar Manikannan. He is working at bk Systems (p) Ltd, and interested in contributing to the open source. The Geek Stuff welcomes your tips and guest articles

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 33 comments… add one }

  • Gautam kashyap April 23, 2009, 10:00 pm

    Hi ramesh,
    this information is very useful for me .Thanks for publishing this article.

  • Neal April 24, 2009, 12:36 pm

    Thanks for all the good posts Ramesh/Dhineshkumar!

    Another useful tip is to force users to change their password on next logon:

    Just run “chage -d 0 “. This will unset the date the password was last changed and the account will require a new password on next logon. The message is something like “you are required to change your password (root enforced)”.

    Great for new users as they get to choose their password.

  • Neal April 24, 2009, 4:00 pm

    Sorry that should have been :
    chage -d 0 username
    I must remember not to put things in brackets as they often vanish when submitted…

  • Ramesh Natarajan April 24, 2009, 5:23 pm

    @Gautam,
     
    Thanks for your comments. I’m glad you found this article helpful.
     
    @Neal,
     
    Thanks a lot for the wonderful tip. For those who are interested, I’ve copy/pasted the output of the command suggested by Neal. i.e Following is the easy way to force users to change their password when they login. Please note that the “Last password change” value is changed to “password much be changed” after the chage -d 0.

    # chage -l jsmith
    Last password change                                    : Apr 23, 2009
    Password expires                                        : never
    Password inactive                                       : never
    Account expires                                         : never
    Minimum number of days between password change          : 0
    Maximum number of days between password change          : 99999
    Number of days of warning before password expires       : 7
    
    
    # chage -d 0 jsmith
    
    
    # chage -l jsmith
    Last password change                                    : password must be changed
    Password expires                                        : never
    Password inactive                                       : never
    Account expires                                         : never
    Minimum number of days between password change          : 0
    Maximum number of days between password change          : 99999
    Number of days of warning before password expires       : 7
    
  • reaky May 20, 2009, 6:22 am

    V Good explaination, But I have a question,
    How Can I change the expiration warining message for chage command ???

  • rmarquez June 9, 2009, 12:05 am

    I have a question. When a user in Linux wants to change their password, it won’t let them use a word based on a dictionary reference. Yet, as root it complains, but changes. What can I look at to determine why it won’t let a user change their own password if it’s a “dictionary” word? How can I put it back to where a user can change their password to whatever they want?

  • Mattias July 20, 2009, 2:30 am

    What repository is it available in? I can’t find it in neither etch nor lenny, main contib non-free..

  • Umer Asghar May 26, 2010, 12:53 am

    Very nice explanation

  • Rafael Padilha September 28, 2010, 2:35 pm

    Hello I Post in my blog an article like this and put a refer to this site.
    my post is in pt-br.
    thanks for the post thats help me a lot!

  • KeyPatel April 22, 2011, 1:09 pm

    Thanks for a very well written blog. Would you please epxlain what should we do if root itself is gets locked and how to prevent to be happening again.

  • K.Santhosh May 10, 2011, 8:45 am

    Hi Ramesh,

    I have been reading your articles from last few months, its great site for newbies as we all as for experienced ones. People can learn a lot from this site.

    To force the user to change the password at next login we will use the command
    # chage -d 0

    but here my question is , i want to make this as a default setting, which means whenever i create a new users, those users should be prompted to change the password at their first login. Please let me know how to do it..Thanks in advance.

  • Usama December 15, 2011, 11:57 pm

    Can anybody tell me how to change the password of root once its expired for a server
    i am into same situation and worried abt it…………..ma boss is a hitler :(

  • Alamgir December 23, 2011, 12:00 am

    Thanks
    Good information.

  • Prasanth January 2, 2012, 10:39 am

    we can also reset password settings using :
    #chage -d -(any number) user name…….

  • Meghna March 19, 2012, 4:51 am

    “chage -d 0 username” command does not seem to work in few conditions.
    I run this command in a script and check the return value for password expiration.
    It shows return value as 0 (success) but it has not modified the value in /etc/shadow file and hence the password has not been expired.
    Has this issue been observed by anyone?
    What might have caused the same?
    Please can someone help with this…

  • Gaurav April 1, 2012, 10:25 pm

    Meghna would like to inform you that the command you are using “chage -d 0 username” is only for the password prompt once we have reset the password of the user afterwards run that command “chage -d 0 username” & it will prompt to user to change his password at first login apart from that this command doesn’t do anything.I hope i have clear your query 😉

    Thanks,

  • Meghna April 2, 2012, 12:45 am

    Thanks Gaurav for your response. But im facing this issue. After the command is run, the value has to be set to “0” in /etc/shadow file. Only in some situations, this is not happening and hence it is not prompting for password change during first login. I am not able to figure out why this is happening. Is it related in any way to selinux contexts or something else?

  • chandan June 28, 2012, 10:57 am

    If you want to do it for multiple users

    awk -F':’ ‘{ if ( $3 >= 1000 ) print $1 }’ /etc/passwd | xargs -I {} chage -I -1 -m 0 -M -1 -E -1 {}

  • vimal August 21, 2012, 12:07 pm

    Non expiry password for an user account in Linux set the following:

    -m 0 will set the minimum number of days between password change to 0
    -M 99999 will set the maximum number of days between password change to 99999
    -I -1 (number minus one) will set the “Password inactive” to never
    -E -1 (number minus one) will set “Account expires” to never.
    # chage -m 0 -M 99999 -I -1 -E -1 dhinesh

    # chage –list vimal
    Last password change : Apr 23, 2009
    Password expires : never
    Password inactive : never
    Account expires : never
    Minimum number of days between password change : 0
    Maximum number of days between password change : 99999
    Number of days of warning before password expires : 7

    Non-expiry in AIX
    lsuser vimal
    chuser maxage=0 (non-expiry) vimal

  • Franklyn August 30, 2012, 1:43 am

    Well you can just use this
    chage -d -1 -M -1 dhinesh

    Last password change : never
    Password expires : never
    Password inactive : never
    Account expires : never
    Minimum number of days between password change : 1
    Maximum number of days between password change : -1
    Number of days of warning before password expires : 7

  • kanhaiya kumar September 23, 2012, 6:12 am

    very good exploitation of chage

  • MarcinEF October 1, 2012, 9:52 pm

    Thanks! Very helpfull!

  • Ade April 23, 2013, 12:20 am

    I want to replace the words “your account has expired; please contact your system administrator”

    how to change the writing?

  • Vishesh Joshi June 30, 2013, 4:12 am

    Nice Its really very helpfull, I liked it so much

    very usefull.

    Thank u for this page & info :-))

  • Arun September 18, 2013, 3:13 am

    Hi,

    Please let me know the steps to download chage source in Ubuntu.
    I am not able to download using

    http://www.thegeekstuff.com/2010/02/get-source-code-for-any-linux-command/

    arun@arun:~$ sudo apt-get source chage
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    E: Unable to find a source package for chage

  • User October 18, 2013, 9:41 am

    Arun, Try apt-get source passwd

  • wildan April 24, 2014, 9:54 am

    is it will be usefull for dropbear or for openSSH only ? thanks

  • Praveen November 4, 2014, 4:06 am

    It will be very good notes for password aging in linux

  • srinivas May 5, 2015, 7:29 am

    Very good explanation

  • Eric Sebasta May 26, 2015, 11:42 am

    I take it there is no way to do this as a global policy, for all users now and forevermore?

  • P.K June 3, 2015, 11:55 pm

    I want to change the user passwd expired date, please can u explan briefly.

  • Afsar June 9, 2015, 11:52 am

    How do I list the inactive user?
    Can anyone help on this

  • Naveen June 23, 2015, 12:22 pm

    Nice Information. Thanks a lot

Leave a Comment