chage Command in Linux

Introduction

In this lab exercise, you'll discover how to leverage the chage command in Linux to manage user password expiration dates and implement robust password policies. The chage utility provides the tools to view and administer critical password aging attributes, including the date of the last password change, the password's expiration date, pre-expiration warning periods, and the permitted minimum and maximum intervals between password modifications. Through practical examples, you will master setting new password expiration dates for users, ensuring timely password updates for enhanced system security.

Understand the chage Command

This section introduces the chage command in Linux, a crucial tool for system administrators to control user password expiration dates and related password aging parameters.

The chage command empowers you to view and modify the following password aging settings for any user account:

  • Date of the last password change
  • Password expiration date itself
  • The password expiration warning period
  • The minimum permissible days between password changes
  • The maximum allowed days between password changes

To inspect the current password aging settings for a specific user, execute the chage command with the -l option, specifying the username:

$ sudo chage -l labex
Last password change                                    : Jan 01, 2023
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

The displayed output indicates that the user labex does not currently have a password expiration date configured, implying the password is set to never expire. This is often not desired from a security standpoint.

To define or adjust the password expiration date for a user, employ the chage command alongside the -E option, providing the desired expiration date in YYYY-MM-DD format. For instance, to mandate that the labex user's password expire within 30 days:

$ sudo chage -E $(date -d "+30 days" '+%Y-%m-%d') labex

Illustrative output following the command's execution:

$ sudo chage -l labex
Last password change                                    : Jan 01, 2023
Password expires                                        : Feb 01, 2023
Password inactive                                       : never
Account expires                                        : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

The chage command boasts a range of options for fine-tuning password aging policies. For a comprehensive list, refer to the command's manual page using man chage.

Modify User Password Expiration Date

In this section, we'll explore the practical steps to modify the password expiration date for a user account using the chage command within a Linux environment. This is a fundamental task for any systemadmin.

First, it's good practice to check the current password expiration date for the target user, in this case, labex:

$ sudo chage -l labex
Last password change                                    : Jan 01, 2023
Password expires                                        : Feb 01, 2023
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

The output confirms that the labex user's password is currently scheduled to expire on February 1, 2023.

To adjust this date, invoke the chage command with the -E option, specifying the desired new expiration date in YYYY-MM-DD format. As an example, to set the password expiration date to 90 days from the present day:

$ sudo chage -E $(date -d "+90 days" '+%Y-%m-%d') labex

Now, let's validate that the password expiration date has been successfully updated:

$ sudo chage -l labex
Last password change                                    : Jan 01, 2023
Password expires                                        : Apr 01, 2023
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

The output confirms that the password expiration date has been successfully adjusted to April 1, 2023.

Enforce Password Expiration Policy

This section will demonstrate how to enforce a comprehensive password expiration policy across user accounts using the chage command. This is vital for maintaining a secure Linux system.

Begin by examining the existing password expiration policy for the labex user:

$ sudo chage -l labex
Last password change                                    : Jan 01, 2023
Password expires                                        : Apr 01, 2023
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

As revealed, the current password for the labex user is configured to expire on April 1, 2023.

To enforce a password expiration policy, utilize the chage command with the following key options:

  • -M: Defines the maximum duration (in days) a password remains valid before expiration.
  • -m: Specifies the minimum interval (in days) that must elapse between password changes.
  • -W: Sets the number of days prior to password expiration that a warning notification is issued to the user.

For example, to implement a password expiration policy for the labex user with the following criteria:

  • Maximum password age: 90 days
  • Minimum password age: 7 days
  • Password expiration warning period: 7 days

Execute the following command sequence:

$ sudo chage -M 90 -m 7 -W 7 labex

Now, verify that the password expiration policy has been updated accordingly:

$ sudo chage -l labex
Last password change                                    : Jan 01, 2023
Password expires                                        : Apr 01, 2023
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 7
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7

The output confirms that the password expiration policy has been updated to reflect the new settings.

Summary

In this hands-on lab, you gained practical experience with the chage command in Linux, a valuable tool for system administrators to manage user password expiration dates and related aging parameters. You learned how to retrieve and interpret existing password aging information for users, and how to effectively modify password expiration dates. Furthermore, you mastered the techniques for enforcing a robust password expiration policy, thereby enhancing the security posture of your Linux system. Understanding and utilizing chage is a key skill for any systemadmin responsible for user account management.

400+ Linux Commands