Of Stack

How to view and configure password aging on Linux

  • 2021-07-26 09:14:22
  • OfStack

With the correct settings, you can force Linux users to change their passwords periodically. Here is how to view password aging and how to change the settings in it.

User passwords on Linux systems can be configured to be permanent or set to expire so that people have to reset them periodically. For security reasons, it is generally considered a good habit to change passwords regularly, but it is not configured by default.

To view and modify password aging, you need to be familiar with several important commands: chage Command and its-l option, and passwd Command and its-S option. This article will cover these commands, as well as 1 others chage Command option to configure password aging.

View password aging settings

The method to determine whether password aging has been set for a specific account is to use the following chage Orders. Please note that root privileges are required for any account except your own. Please note the password expiration date below. 


$ sudo chage -l dory
Last password change   : Mar 15, 2020
Password expires   : Jun 13, 2020 <==
Password inactive   : never
Account expires   : never
Minimum number of days between password change : 10
Maximum number of days between password change : 90
Number of days of warning before password expires : 14

If password aging is not applied, the account information will look like this: 


$ sudo chage -l nemo
Last password change   : Jan 14, 2019
Password expires   : never <==
Password inactive   : never
Account expires   : Mar 26, 2706989
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

You can also use passwd -S Command to view some information, but you need to know what each field in the output represents: 


dory$ passwd -S
dory P 03/15/2020 10 90 14 -1

The seven fields here represent:

1 User name 2-Account status (L = locked, NP = no password, P = available password) 3 Date of last password change 4 can change the minimum age (if there are not so many days, the password cannot be changed) 5 Maximum age (password must be changed after these days) 6 Days of advance warning before password expires 7 Number of days before lock after password expires (set to invalid)

One thing to note is that, chage Command does not show whether the account is locked; It displays only password aging settings. On the other hand, passwd -S The command will tell you when the password is locked. In this example, note that the account status is L: 


$ sudo passwd -S dorothy
dorothy L 07/09/2019 0 99999 7 10

By setting the /etc/shadow The "hash" field that usually contains passwords in files becomes! So as to achieve the locking effect. 


$ sudo grep dorothy /etc/shadow
dorothy:!:18086:0:99999:7:10:: <==

The fact that the account is locked is chage Is not obvious in the output: 


$ sudo chage -l dorothy
Last password change   : Jul 09, 2019
Password expires   : never
Password inactive   : never
Account expires   : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

1 Options for password aging

The most commonly used settings are the shortest and longest days. They are often used in combination. For example, you can configure a password so that it cannot be used for more than 90 days (maximum), and then add a password that is valid for 1 week or 10 days (minimum). This ensures that users will not change their passwords immediately after they need to change them. 


$ sudo chage -M 90 -m 10 shark
$ sudo chage -l shark
Last password change   : Mar 16, 2020
Password expires   : Jun 14, 2020
Password inactive   : never
Account expires   : never
Minimum number of days between password change : 10 <==
Maximum number of days between password change : 90 <==
Number of days of warning before password expires : 7

You can also use the-E option to set a specific expiration date for your account. 


$ sudo chage -E 2020-11-11 tadpole
$ sudo chage -l tadpole
Last password change   : Oct 15, 2019
Password expires   : never
Password inactive   : never
Account expires   : Nov 11, 2020 <==
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

Password ageing can be an important option as long as it does not encourage users to use overly simple passwords or write them down in an unsafe way. For more information about controlling password characters (for example, combinations of upper and lower case letters, numbers, and so on), see this article on password complexity.

Summarize

Related articles: