System administrators need to frequently perform user management tasks such as creating new users, adding them to user groups, changing their passwords, etc. Sometimes they may also need to add, modify, suspend, or deactivate user accounts. In this article, we will learn how to set or change user password expiration as well as aging. We will use chage command for this purpose.
How to Manage User Password Expiry & Aging in Linux
The chage command is used to modify user password expiry information. It also allows you to view user account aging information, change no. of days between password change, and date of last password change. Once you set the password expiration and aging information, users will automatically forced to renew their passwords on those dates. All this is handled by your Linux system automatically, once you make changes using chage command. It is a useful tool used by system administrators, IT departments and organizations to enforce security policies that require users to regularly change passwords.
Here is the basic command to view a user’s account aging information, using -l option.
# chage -l test
To set the date or number of days since Jan 1, 1970 when the password was changed, use the -d flag.
# chage -d 2022-02-11 test
You can also use -E option to lock the user account after a specific date. In this case, the user will need to contact system administrator to get back system access.
# chage -E 2022-02-16 test
If you want the system to display a warning message a few days before the password expires, then you need to use -W option followed by the number of days prior to password expiry when you want to display the message. Here is the command to display warning message to user test to change password starting 10 days prior to password expiry.
# chage -W 10 test
You can also set an inactive period after password expiry after which the account is locked. Here is an example to set inactive period to 2 days after password expiry, after which the account will be locked. During this period the account will remain inactive.
# chage -I 2 test
In this article, we have learnt how to set user password expiration and aging in Linux. You can also use this command from a shell script in case you want to automatically set password expiry for users.