Learn chage command in Linux with several examples. View, edit password ageing parameters using chage command to secure your Linux accounts.
Controlling password aging of user accounts is very much important for security of server. This ensures users are always updated with passwords and there are no old passwords or accounts living on server which are vulnerable to compromise.
Read also : Linux user account policies
chage command aims at viewing and editing password aging information. This command is capable of editing below password attributes :
- Last change date
- Expiry date
- Minimum days
- Maximum days
- Warning days
- Inactivity period
- View attributes
Lets see all of above, one by one :
1. Last change date :
This is number of days from Unix date i.e. 1 Jan 1970 when password was last changed. Normally this date changes automatically when user changes his password. But, if you want to change it manually you can use chage command with -d option like below :
# chage -d 2016-03-12 user4 << YYYY-MM-DD format
You can view change in date by comparing before and after output of chage -l <user> command. This date is displayed against “Last password change” attribute in output. We will see this output in detail in last part of this post.
2. Expiry date
This is date on which account password will expire and user wont be able to login until he changes his account password. It can also be set as YYYY-MM-DD format with -E option as below :
# change -E 2016-12-05 user4
This date changes automatically whenever user changes his password. It checks maximum days attribute and adds those many days to current date (date of password change); resulting date will be expiry date.
Setting this to -1 removes account password expiry. That account will have non-expiry password and never need to change password in future.
3. Minimum days
These are number of days user must wait to make another password change on his account. For example if this is set to 7 then once user changes password, he can not change password again until 7 days. This can be set using -m option.
# chage -m 7 user4
Setting this parameter to 0 enables user to change his password at any time (no restriction).
4. Maximum days
These are number of days user can use same password. For example if this is set to 20 days then user must change password after 20 days. This value decides password expiration date we seen above. This can be set using -M option
# chage -M 30 user4
If you want to remove this restriction and want to use same password forever then you need to set expiration date to -1 which we saw earlier.
5. Warning days
These are number of days before password expiry date, user start seeing warning on his login screen about password expiry. User warning will be shows post login like below :
login as: user4
Warning: your password will expire in 6 days
Last login: Thu Dec 29 17:17:32 2016 from 10.10.2.10
You can set this attribute using -W option
# chage -W 7 user4
6. Inactivity period
These are number of days account can remain inactive after password is expired. After which account will be locked for security reason since idle accounts vulnerable to compromise. This can be set using -I option.
# chage -I 10 user4
If you set this to -1 then this restriction will be waived off form that account.
7. Viewing all above attributes:
To view all above attributes you can use -l option :
# chage -l user4
Last password change : Mar 12, 2016
Password expires : Jun 10, 2016
Password inactive : never
Account expires : Nov 30, 2016
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
In above output:
- Last password change is Last change date (-d)
- Password expires is expiry date (-E)
- Password inactive is Inactivity period (-I)
- Account expires is expiry date for account. Last change date plus maximum days.
- Minimum number of days……. is minimum days (-m)
- Maximum number of days……. is maximum days (-M)
- Number of days of warning …… is warning days (-W)
You can check this output before changing any attribute using above commands. Check change in attribute post command execution again!
Let us know queries, suggestions, feedback, corrections in comments below.