Managing the period of time a password of a user should be valid and the date in which said account should expire are very important tasks a system administrator should be able to perform. While some of these parameter can be set when creating an account, it is also possible to change them at a second time, using the chage utility; in this tutorial we see how to use this utility.
In this tutorial you will learn:
- How to get information about an user account ageing
- How to set an account expiration date
- How to set the minimum number of days which should pass between two password changes
- How to set the password expiration date
- How to set the inactive days threshold
- How to set when a user should receive a warning about a future password expiration
Software requirements and conventions used
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Distribution independent |
| Software | chage |
| Other | Root permissions |
| Conventions | # – requires given linux-commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux-commands to be executed as a regular non-privileged user |
Getting aging status information
To make the chage utility display information about an account aging status, all we have to do is to invoke it with the -l option (which is the short form of --list) and provide the account we want to check as its argument. If we are checking information about our own account, we can call the utility without administrative privileges; if we are requesting information for another account (or we are changing aging parameters) we should prefix the command with sudo, or run the command directly as root. In the example below, I request a report about my own account:
$ chage -l egdoc
Here is an example of the output of the command:
Last password change : May 07, 2021 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
The first row of the output reports the last date in which the password for the account was changed (Last_password_change). In this case we can see the last change was performed on “May 07, 2021”.
The second line reports the date in which the current password will expire (Password_expires). In this case the reported value is “never”, so the password expiration feature is disabled (the password will never expire).
The third line show us the Password inactive date. In this case the option is disabled, but we can establish a number of days of user inactivity after a password expires before the user account is locked.
On the fourth row we can check the account expiration date (Account expiration). As a value for this option we can provide a specific date or alternatively a number of days since “January 1, 1970”, after which the user account will be locked.
On the next two lines we can see the minimum number of days which should pass between two password changes (Minimum number of days between password change), and the maximum number of days a password should be valid (Maximum number of days between password change). In this case, the value of the first option is 0, so the user can change its password as many times as he/she wants.
Finally, in the last row of the program output we can see how many days before the password expiration event a warning should be sent to the user. The current value is 7; it is irrelevant, however, since password expiration is disabled.
Change the password expiration date
Using the chage utility we can set a password expiration date using the -M option, in order to set the maximum number of days in which a password should be considered valid. For example to set the password validity to 30,
we would run:
$ sudo chage -M 30 egdoc
The above command will set the password to expire 30 days from the last change. Since we made the last change on 2021/05/07, the password will now expire on 2021/06/06. Is is also possible to manually enter the date in which the last password change occurred using the -d option, which is the short version of --lastday. To set it to 2021/04/07, for example, we would run:
$ sudo chage -d 2021-04-07 egdoc
Modifying the “last change” date will also affect the password expire date.
Changing the inactive days threshold
With the chage utility is possible to change how many days after a password expiration an account should be locked. To perform this operation we want to invoke the utility with the -I option (--inactive) and provide the number of days as argument (passing -1 disables the feature). To set the threshold to 15 inactive days we would run:
$ sudo chage -I 15 egdoc
Considering that in the previous example we set the password expiration date to 2021-06-06, by running the command above the account will be locked on 2021-06-21.
Changing the account expiration date
An account expiration date is usually set at creation time, but with the chage utility is possible to modify it. All we have to do is to run the program with the -E option (short for --expiredate), and provide the date in which the account should expire in the YYYY-MM-DD format. In the following example we set the account of the “egdoc” user to expire the 15th of August of the year 2021:
$ sudo chage -E 2021-08-15 egdoc
Changing the minimum number of days between password changes
As we saw before, we can set a minimum number of days that should pass between password changes. In the output of the chage -l command we can notice the value of this parameter is currently set to 0, so the user may change the
password as many times he wants. To change this parameter we must invoke chage with the -m option (--mindays) and provide the number of days as argument. To set this value to 3 days, we would run:
$ sudo chage -m 3 egdoc
If the user tries to change its password sooner than expected, it will receive the following error on the console:
You must wait longer to change your password.
The root user, however, will still be able to change the password without any restrictions.
Setting how many the days before the password expires the user should receive a warning
With the chage utility we can set how many days before the password expiration date, the user should receive a warning. To change the value for this parameter we must run the utility with the -W option (--warndays) and provide the number of days as argument to the option. To set this value to 14 days, we would run:
$ sudo change -W 14 egdoc
Conclusions
In this article we learned how to use the “chage” utility on Linux to get information about accounts expiration dates and modify the associated parameters. We saw how to set an account expiration date, how to set the minimum number of days which should pass between password changes, how to set a password expiration date, the inactive days threshold, and how many days before the password expiration a user should receive a warning. Managing account expiration dates is a really important task: for a more in depth knowledge of the chage utility, please consult its own manual.
