Today you will learn how to Manage user password expiration and aging in Linux using the chage command.
Each organization has its own password policy.
For security reasons, the user should change their password in a few month’s interval and the Linux administrator should take care of whether the users are changing the password or not.
That’s why it is the responsibility of the Linux administrator to forcefully change the password from the user using password policies.
In such situations, you can use the chage
command.
What is chage?
Very Simple!
chage
stands for “Change Age”.
As you can understand by the name itself, it’s for changing the user password expiry information. That’s all.
You have to run the chage
command as a root user because upon running this command, it makes changes in /etc/shadow
configuration file whose owner is root.
If you run this command without a superuser then you will get this error.
$ chage -M 365 helpdesk
chage: Permission denied.
In this guide, whatever configuration we are going to do regarding the expiration of a user’s password using the chage
command, you can also do it directly by editing the /etc/shadow
file.
But it is not recommended.
Now chage
might already be installed on your machine.
If you are on a Debian-based Linux machine and don’t have chage
installed then you can install that with the help of the following command.
$ sudo apt-get install passwd
and If you are on an RPM-based Linux machine like Redhat or CentOS then you can install this with the help of the following command.
# yum -y install shadow-utils
Okay, so when you have chage
installed and ready to go let’s go ahead and look at very simple examples.
First of all, let’s focus on some of the most important options that we can use with the chage
.
Options | Explanation |
---|---|
-d, --lastday | Set date of last password change |
-E, --expiredate | Set account expiration date |
-I, --inactive | Set password inactive after expiration |
-l, --list | show account aging information |
-m, --mindays | Set minimum number of days before password change |
-M, --maxdays | Set maximum number of days before password change |
--help | Display help page of chage Command. |
Table of Contents
Key features of chage command:
- Show account aging information
- Set maximum and minimum number of days before password change
- Set password expiration warning days
- Set date of last password change
- Set password inactive after expiration
- Set account expiration date
You must follow the syntax given below to use the chage command.
chage [options] LOGIN
1. Show account aging information
First, you need to check what are the existing permissions for a particular user. To do this you pass the -l
option to chage
command.
For example, I am taking the user right now as linuxadmin.
# chage -l linuxadmin
Last password change : Jan 24, 2021
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
2. Set the maximum number of days before the password change
To set the maximum number of days during which a password is valid use the -M
option with the chage
.
This command will also set the password expire date according to the last password change date.
In this example, I’m setting 365 days as the maximum number of days.
# chage -M 365 linuxadmin
Output:
# chage -l linuxadmin
Last password change : Jan 24, 2021
Password expires : Jan 24, 2022
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 365
Number of days of warning before password expires : 7
As you can see here my last password change date is Jan 24, 2021 and as soon as I set the maximum days (365 days) for the password, the command set the password expire date to Jan 24, 2022.
Between January 24, 2021 and Jan 24, 2022, there is a difference of 365 days.
3. Set the minimum number of days before the password change
To set the minimum number of days between password changes use the -m
option with the chage
.
In this example, I’m setting 10 days as the minimum number of days.
# chage -m 10 linuxadmin
Output:
# chage -l linuxadmin
Last password change : Jan 24, 2021
Password expires : Jan 24, 2022
Password inactive : never
Account expires : never
Minimum number of days between password change : 10
Maximum number of days between password change : 365
Number of days of warning before password expires : 7
If you set 0(Zero) as the minimum value then the user can change his password at any time.
4. Set password expiration warning days
To set the number of days of warning before a password change is required use the -W
option with the chage command.
It has a long option and that is --warndays
.
The Warning Days option is the number of days prior to the password expiring that a user will be warned their password is about to expire.
In this example, I’m setting 7 days as the warning days.
# chage -W 7 linuxadmin
Output:
# chage -l linuxadmin
Last password change : Jan 24, 2021
Password expires : Jan 24, 2022
Password inactive : never
Account expires : never
Minimum number of days between password change : 10
Maximum number of days between password change : 365
Number of days of warning before password expires : 7
5. Set date of last password change
To set the number of days since January 1st, 1970 when the password was last changed pass the -d
option to the change command.
You can use this format to set a date: YYYY-MM-DD
.
If you set 0(Zero) then the user is forced to change his password on the next log on.
# chage -d 2021-03-04 linuxadmin
Output:
# chage -l linuxadmin
Last password change : Mar 04, 2021
Password expires : Mar 04, 2022
Password inactive : never
Account expires : never
Minimum number of days between password change : 10
Maximum number of days between password change : 365
Number of days of warning before password expires : 7
6. Set password inactive after expiration
To set the number of days of inactivity after a password has expired before the account is locked pass the -I
option to the chage
command.
According to this example, if the user does not log in for 5 days after the password expires, the account will be locked.
# chage -I 5 linuxadmin
Output:
# chage -l linuxadmin
Last password change : Mar 04, 2021
Password expires : Mar 04, 2022
Password inactive : Mar 09, 2022
Account expires : never
Minimum number of days between password change : 10
Maximum number of days between password change : 365
Number of days of warning before password expires : 7
The user whose account is locked must contact the system administrator before being able to use the system again.
7. Set an account expiration date
You can also set the user account expiry date using the chage
command. To do this use the -E
option with the chage
.
You can use this format to set a date: YYYY-MM-DD
.
# chage -E 2021-04-15 linuxadmin
Output:
# chage -l linuxadmin
Last password change : Mar 04, 2021
Password expires : Mar 04, 2022
Password inactive : Mar 09, 2022
Account expires : Apr 15, 2021
Minimum number of days between password change : 10
Maximum number of days between password change : 365
Number of days of warning before password expires : 7
The user whose account is locked must contact the system administrator before being able to use the system again.
8. Help/Manual page access
Use the following commands to access the Manual Page/Help Page of chage
command.
# man chage
# chage --help
You can visit at following websites to get more information on chage
.
Conclusion
So that is How to essentially use chage command.
I hope that now you have a good understanding of how the chage
command works and you have some ideas for how you can use this within your workflow.
If anyone does have any questions about what we covered in this guide then feel free to ask in the comment section below and I will do my best to answer those.
For more User Management commands check out: