Site icon Edumotivation

chage Command : Manage User Password Expiration and Aging in Linux

chage Command : Manage User Password Expiration and Aging

Today you will learn how to Manage user password expiration and aging in Linux using the chage command.

Each organization has its own password policy.

For security reasons, the user should change their password in a few month’s interval and the Linux administrator should take care of whether the users are changing the password or not.

That’s why it is the responsibility of the Linux administrator to forcefully change the password from the user using password policies.

In such situations, you can use the chage command.

What is chage?

Very Simple!

chage stands for “Change Age”.

As you can understand by the name itself, it’s for changing the user password expiry information. That’s all.

You have to run the chage command as a root user because upon running this command, it makes changes in /etc/shadow configuration file whose owner is root.

If you run this command without a superuser then you will get this error.

$ chage -M 365 helpdesk
chage: Permission denied.

In this guide, whatever configuration we are going to do regarding the expiration of a user’s password using the chage command, you can also do it directly by editing the /etc/shadow file.

But it is not recommended.

Now chage might already be installed on your machine.

If you are on a Debian-based Linux machine and don’t have chage installed then you can install that with the help of the following command.

$ sudo apt-get install passwd

and If you are on an RPM-based Linux machine like Redhat or CentOS then you can install this with the help of the following command.

# yum -y install shadow-utils

Okay, so when you have chage installed and ready to go let’s go ahead and look at very simple examples.

First of all, let’s focus on some of the most important options that we can use with the chage.

OptionsExplanation
-d, --lastdaySet date of last password change
-E, --expiredateSet account expiration date
-I, --inactiveSet password inactive after expiration
-l, --listshow account aging information
-m, --mindaysSet minimum number of days before password change
-M, --maxdaysSet maximum number of days before password change
--helpDisplay help page of chage Command.

Key features of chage command:

You must follow the syntax given below to use the chage command.

chage [options] LOGIN

1. Show account aging information

First, you need to check what are the existing permissions for a particular user. To do this you pass the -l option to chage command.

For example, I am taking the user right now as linuxadmin.

# chage -l linuxadmin
Last password change					: Jan 24, 2021
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

2. Set the maximum number of days before the password change

To set the maximum number of days during which a password is valid use the -M option with the chage.

This command will also set the password expire date according to the last password change date.

In this example, I’m setting 365 days as the maximum number of days.

# chage -M 365 linuxadmin

Output:

# chage -l linuxadmin
Last password change					: Jan 24, 2021
Password expires					: Jan 24, 2022
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 365
Number of days of warning before password expires	: 7

As you can see here my last password change date is Jan 24, 2021 and as soon as I set the maximum days (365 days) for the password, the command set the password expire date to Jan 24, 2022.

Between January 24, 2021 and Jan 24, 2022, there is a difference of 365 days.

3. Set the minimum number of days before the password change

To set the minimum number of days between password changes use the -m option with the chage.

In this example, I’m setting 10 days as the minimum number of days.

# chage -m 10 linuxadmin

Output:

# chage -l linuxadmin
Last password change					: Jan 24, 2021
Password expires					: Jan 24, 2022
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 10
Maximum number of days between password change		: 365
Number of days of warning before password expires	: 7

If you set 0(Zero) as the minimum value then the user can change his password at any time.

4. Set password expiration warning days

To set the number of days of warning before a password change is required use the -W option with the chage command.

It has a long option and that is --warndays.

The Warning Days option is the number of days prior to the password expiring that a user will be warned their password is about to expire.

In this example, I’m setting 7 days as the warning days.

# chage -W 7 linuxadmin

Output:

# chage -l linuxadmin
Last password change					: Jan 24, 2021
Password expires					: Jan 24, 2022
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 10
Maximum number of days between password change		: 365
Number of days of warning before password expires	: 7

5. Set date of last password change

To set the number of days since January 1st, 1970 when the password was last changed pass the -d option to the change command.

You can use this format to set a date: YYYY-MM-DD.

If you set 0(Zero) then the user is forced to change his password on the next log on.

# chage -d 2021-03-04 linuxadmin

Output:

# chage -l linuxadmin 
Last password change					: Mar 04, 2021
Password expires					: Mar 04, 2022
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 10
Maximum number of days between password change		: 365
Number of days of warning before password expires	: 7

6. Set password inactive after expiration

To set the number of days of inactivity after a password has expired before the account is locked pass the -I option to the chage command.

According to this example, if the user does not log in for 5 days after the password expires, the account will be locked.

# chage -I 5 linuxadmin

Output:

# chage -l linuxadmin
Last password change					: Mar 04, 2021
Password expires					: Mar 04, 2022
Password inactive					: Mar 09, 2022
Account expires						: never
Minimum number of days between password change		: 10
Maximum number of days between password change		: 365
Number of days of warning before password expires	: 7

The user whose account is locked must contact the system administrator before being able to use the system again.

7. Set an account expiration date

You can also set the user account expiry date using the chage command. To do this use the -E option with the chage.

You can use this format to set a date: YYYY-MM-DD.

# chage -E 2021-04-15 linuxadmin

Output:

# chage -l linuxadmin
Last password change					: Mar 04, 2021
Password expires					: Mar 04, 2022
Password inactive					: Mar 09, 2022
Account expires						: Apr 15, 2021
Minimum number of days between password change		: 10
Maximum number of days between password change		: 365
Number of days of warning before password expires	: 7

The user whose account is locked must contact the system administrator before being able to use the system again.

8. Help/Manual page access

Use the following commands to access the Manual Page/Help Page of chage command.

# man chage
# chage --help

You can visit at following websites to get more information on chage.

Conclusion

So that is How to essentially use chage command.

I hope that now you have a good understanding of how the chage command works and you have some ideas for how you can use this within your workflow.

If anyone does have any questions about what we covered in this guide then feel free to ask in the comment section below and I will do my best to answer those.

For more User Management commands check out:

Exit mobile version