Manage user password expiration and aging on Linux by following a quick 5 step process. It will not only help maintain a good level of security on your system but will also aid in administering the user accounts more flexibly.
Password verification is a process that starts from the /etc/shadow
file. Whenever registers attempt to log in, the system, without wasting any time, looks if an entry for the concerned user exists in the /etc/shadow
directory. It also verifies whether the typed password matches the encrypted hash.
If everything goes as desired, the login attempt
gets successfully concluded; if not, the system displays a failed output. To ensure better security, the password aging
feature for user accounts was introduced. The same has a crucial role to play in the verification process.
Although not a tough skill to master, misleading approaches can make the entire thing challenging. For helping you avoid that, the following article brings the most flexible guide on how to manage user password expiration and aging.
Pre Requisites:
Before you learn how to manage user password expiration and aging on Linux, I’d recommend creating a separate user account and employing the changes there. It will help make sure that you get proper exposure to the process even without causing any harm to the existing accounts.
Creating A User Account
To create a user account, you’ll only need to invoke the useradd
and the passwd
command. But it is crucial; you’ve got sudo privileges for that.
Launch the Terminal using the “Ctrl+Alt+T” key combination
Run the following commands
$ sudo useradd trialuser

$ sudo passwd trialuserpassword

How to Manage User Password Expiration and Aging on Linux
Are you done creating the trial user
account already? If yes, it is time to learn how to manage user password expiration seamlessly and again with no issues whatsoever.
Step 1: Forcing a Password Change Right On First Login
To start managing user password expiration, the first thing to do is force a password change
to occur as soon as the initial login is concluded. To do that, use the chage command alongside the -d
flag in the following manner:
$ sudo chage -d 0 trialuser

When you log in to your system via the created user (trialuser
, for instance), the system will prompt and initiate a password change. Get the same updated and log yourself back in.
Step 2: Altering the User Password Policy
The next task is changing the default password policy for the concerned user. Suppose you want the trialuser to have a new password every 30 days, invoke the change command together with the -M
option while defining the desired period.
The command should look something like this:
$ sudo chage -M 30 trialuser

Verify the Password Policy Status
Verify the update status for the concerned user’s password policy. Run the chage
command and use the -l
flag with it. Your system will then provide an output displaying details on password expiry.
$ sudo chage -l trialuser

Step 3: Get the User Account Expiry Terms Sorted
To manage user password expiration and aging, it is crucial to set the desired user account in a manner that goes on expiry only after X
number of days is passed. Suppose you want the number of days to be 150. In that case, follow the steps below:
You’ll first need to get the exact time and date from the current situation. For that, invoke the date -d
command.
Input:
$ date -d "+150 days" +%F
The output will display the exact date. Use it to set the terms.
$ sudo chage -E [Desired Date] trialuser

Verify the Updated Expiry Date
Just like what we did for step 2, invoke the $ sudo chage -l
command and learn if you’ve successfully updated the expiry date.
Satisfied with the output? If yes, move to the next step.
Step 4: Get the User Account Locked
Here you’ll learn how to lock and unlock the user account. Locking is an action that helps restrict the concerned user from authenticating any new password on the system. Use the usermod
command together with the -L
flag for this purpose.
$ sudo usermod -L trialuser

Verification:
Run the $ su -trialuser
command. If it responds with a message called Authentication failure
, it means that the locking process has been successfully concluded.
Unlocking User Account
You can unlock the previously locked account by invoking the usermod -U
command at any point in time.
Launch the Terminal and then run the following command:
$ sudo usermod -U trialuser
Step 5: Setting Password Policy for Every User
You can do that pretty seamlessly if you want to set the desired password policy for every existing user. However, you’ll require administrative access so that you can bring edits and alter the /etc/login/defs
file.
To modify the file, you can use any of your favorite editors, vim
, for instance.
$ sudo vim /etc/login/defs

Set the desired password policy while defining the exact number of days by setting the section named PASS_MAX_DAYS
. Apart from you can bring desired modifications to other existing parameters. The most common ones associated with password aging include:
PASS_WARN_AGE: It defines the number of days before the system leaves a warning notification about password expiry.
PASS_MIN_DAYS
: This section talks about the minimum number of days allowed between consecutive password alterations.
PASS_MIN_LEN
: As the name suggests, it defines the minimum acceptable length of the password.
PASS_MAX_DAYS
: Maximum number of days after which the user needs to change the password.
With that, you now know how to manage user password expiration and aging on Linux. The guide walks you through five amazing steps that help monitor user password pretty seamlessly.
If this guide helped you, please share it.