Sunday, September 23, 2012

Using Chage to manage password expiration and aging

As administrators, tools like chage to help manage the /etc/shadow information. /etc/shadow contains information such as

myuseid:$xxxxxxxxxeeerrrrr:15607:0:900:10:0::

Column Description
1 UserID
2 Encrypted Password
3 Set the number of days since January 1st, 1970 when the password was last changed.
4 Minimum number of days between password changes to MIN_DAYS
5 Maximum number of days during which a password is valid
6 Set the number of days of warning before a password change is required
7 Set the number of days of inactivity after a password has expired before the account is locked
8 Set the date or number of days since January 1, 1970 on which the userid account will no longer be accessible. The date may also be expressed in the format YYYY-MM-DD

Best if you can use the command chage. For example, you can use the command

1. Listing of  password details
# chage --list  username

Last password change                                    : Feb 03, 2012
Password expires                                        : Jul 22, 2013
Password inactive                                       : Jul 22, 2013
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 60
Number of days of warning before password expires       : 10

2. Disable password aging for an user account
# chage -m 0 -M 99999 -I -1 -E -1 username

-m 0 (Min number of  days between password change to 0)
-M 99999 (Max Number of days between password change to 99999)
-I -1 (Set "Password Inactive" to never)
-E -1 (Set "Account expires" to never)
Last password change                                    : Feb 03, 2012
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 10

For more complete information, see
  1.  6.6. Linux Password & Shadow File Formats
  2. 7 Examples to Manage Linux Password Expiration and Aging Using chage

No comments: