The chage command in Linux is used to manage password aging for user accounts. It allows system administrators to enforce password expiration policies, making it a vital tool for maintaining system security.

This guide will walk you through the basics of using chage with practical examples to help you manage user accounts effectively.

Understanding Password Aging

Password aging allows administrators to set rules about how often users must change their passwords. This helps enhance system security by reducing the chances of compromised accounts due to outdated credentials. The chage command is used to manage the aging policies.

The syntax of the chage command is:

chage [options] username

Where:

  • username: Specifies the name of the user for whom you want to manage password settings.
  • options allow you to control various aspects like password expiration, warning periods, and inactivity.

Checking User Password Aging Information

You can use chage without any options to view the current password aging information for a user.

chage -l username

Output:

Last password change                    : Aug 20, 2024
Password expires                        : Nov 18, 2024
Password inactive                       : never
Account expires                         : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7

The -l (list) flag shows password information like last password change, account expiration, and password expiry dates.

Setting Password Expiration

The -M option is used to set the maximum number of days a password remains valid. After this period, users are forced to change their password.

chage -M 60 username

This sets the maximum password validity to 60 days. Users will be required to change their passwords every 60 days.

Setting Minimum Days Between Password Changes

You can use the -m option to set the minimum number of days between password changes.

chage -m 7 username

This sets a minimum of 7 days between password changes.

Setting a Password Expiry Warning Period

The -W option sets the number of days before password expiration when the user will start receiving warnings.

chage -W 10 username

Users will receive a warning to change their password starting 10 days before it expires.

Setting an Account Expiration Date

The -E option is used to set an account expiration date, after which the account is disabled.

chage -E 2024-12-31 username

After December 31, 2024, the user account will expire, preventing the user from logging in.

Making Password Inactive After Expiry

The -I option sets the number of days after a password has expired before the account becomes inactive.

chage -I 30 username

The account will become inactive 30 days after the password has expired if the user does not update their password.

Setting All Password Aging Options at Once

You can use the -M, -m, -W, -I, and -E options together to fully configure the password aging policy for a user.

chage -M 90 -m 10 -W 7 -I 15 -E 2024-12-31 username

This command sets up a comprehensive password policy as shown below:

  • Maximum validity: 90 days
  • Minimum days between changes: 10 days
  • Warning period: 7 days
  • Account becomes inactive: 15 days after password expiry
  • Account expires on: December 31, 2024

Conclusion

The chage command is an essential tool for managing password policies on Linux. It allows system administrators to enforce security practices and ensure users regularly update their credentials. The powerful Linux chage command can manage user password policies on Atlantic.Net’s dedicated servers.