User management is an important part of Linux administration, so it’s essential to know about all the user accounts on a Linux system. Some common user administration tasks are to list users, disable a user account, or create and modify user accounts.
In this guide, we will be focusing on managing user passwords. It’s good security practice to force users to change their password every once in a while by setting passwords to expire. In the examples below, you’ll see how to reset a user’s password, set their password to expire (either instantly or in the future), and see the age of a user’s password. We’ll also see how password changes can be seen in log files, giving us some insight into user’s password change history.
In this tutorial you will learn:
- How to set a user’s password to expire
- How to see the age of a user’s password
- How to see password changes in log files
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux distro |
| Software | N/A |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Set a user’s password to expire
As the root user, you can set a user’s password to expire by executing the passwd -e command. The following example will expire the password for user “linuxconfig”. Doing this will prompt the user to change their password the next time they try to login to the system.
$ sudo passwd -e linuxconfig
This will force the user to choose a new password. When we try to go back to our old password, you can see the “Password unchanged” error that we receive in the screenshot below.
If you don’t want the user’s password to expire right away (that is, as soon as the command above is executed), then we can use the chage command. Notice this command looks a lot like the word “change,” but be aware it’s not a typo and it really is chage without the “n.”
Add the -M option to your command, and specify the length of time, in days, when a user’s password should expire. The following example will make user “linuxconfig” password expire 30 days from now.
$ sudo chage -M 30 linuxconfig
We can also choose a day for the password to expire by using the -E option and specifying the date in a YYYY-MM-DD format. This command will force a user’s password to expire on January 15, 2023.
$ sudo chage -E 2023-01-15 linuxconfig
Use the -W option to warn a user that their password will soon expire. For example, this command will warn a user 7 days in advance that their password is going to expire.
$ sudo chage -W 7 linuxconfig
See the age of a user’s password
We can once again turn to the chage command when we wish to see information about the age of a user’s password. The -l option will list when a user’s password was last change, and when their password is set to expire.
$ chage -l linuxconfig
See password changes in log files
Linux logs a lot of data, and password changes are no exception. Debian based systems such as Ubuntu will store password changes in the /var/log/auth.log file, and Red Hat based systems store this information in /var/log/secure. Use the following grep command to take a peek into the appropriate file.
$ grep -R -i passwd /var/log/auth.log
As you can see in the screenshot above, the log shows us when our “linuxconfig” user account had their password set to expire, and it also shows when the user’s password was changed.
Closing Thoughts
In this guide, we saw how to manage user account passwords on Linux by forcing a password to expire, setting it to expire in the future, seeing when the password was last changed, and viewing logs to see password changes. These should be all the commands you need to know in order to manage user account passwords and keep your system secure through regularly expiring passwords.
