Jul 252011
 

terminal If you think that the operations about users are only: creation, deletion and change of the passwords you are in error, in the standard GNU/Linux system about authentication and authorization of users there are some interesting flags regarding the age of an account.

These parameters are usually ignored, but can be very useful in particular situations, or to help enforce internal policies on the use of personal accounts.

All these parameters are stored in /etc/shadow can be viewed and modified with the command chage


chage

chage changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change her password. The chage command is restricted to the root user, except for the -l option, which may be used by an unprivileged user to determine when her password or account is due to expire.

Basic Syntax:

chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndaysuser

Options:
  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

Typical characteristics of a user on a desktop:

# chage -l linuxaria
Last password change					: Jan 09, 2011
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

Basically you have the information on the day of the last password change and all the others flags are not set.

Changing password

If i change my password today i’ll get :

# chage -l linuxaria
Last password change					: Jul 25, 2011
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

Set the max number of days for a password

My company has a policy about users, they must change their own password every 90 days (don’t ask me if i like it or if i think it’s useful, please), so every user on our servers has something like that:

#chage -M 90 linuxaria
# chage -l linuxaria
 
Last password change					: Jul 25, 2011
Password expires					: Oct 23, 2011
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 90
Number of days of warning before password expires	: 7

I’ve changed my desktop user with the -M flag; and now there are 2 changes:
Password expires has now a value and Maximum number of days between password change is now set at 90

Now that we have an expiration date becomes important the value of “Number of days of warning before password expires”, which by default is set to 7, this means that if I connect to a server 4 days before the expire date I will get something like this:

# ssh linuxaria@myserver
linuxaria@myserver's password:
Warning: your password will expire in 4 days

if you don’t change the password before the expire date you’ll be forced, to change it, by the system in the the login phase, unless you have set also a password inactive value, this value tells to the system that if you don’t change your password after X days after it’s expired the account must be locked.
In the example this value it’s set to never.

Set an expiration date

I’ve used this option in the past, it’s useful when you have an external that must login to your system for 1 week or month, and you want to be sure that after a certain date he cannot login anymore, this flag help you set this date from the creation phase, so you’ll not have to remember to close the account manually.

# chage -E "2011-07-31" linuxaria
# chage -l linuxaria
 
Last password change					: Jul 25, 2011
Password expires					: Oct 23, 2011
Password inactive					: never
Account expires						: Jul 31, 2011
Minimum number of days between password change		: 0
Maximum number of days between password change		: 90
Number of days of warning before password expires	: 7

In this example my account will not work anymore after 31 Jul 2011.
A user whose account is locked must contact the system administrator before being able to use the system again.

Remove the limitations

Ok, it’s now time to return to the original setup for my username:

-m 0 will set the minimum number of days between password change to 0
-M 99999 will set the maximum number of days between password change to 99999
-I -1 will set the “Password inactive” to never
-E -1 will set “Account expires” to never.

# chage -m 0 -M 99999 -I -1 -E -1 linuxaria
# chage -l linuxaria
 
Last password change					: Jul 25, 2011
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7



Popular Posts:

flattr this!

  One Response to “chage : control your users “age” on Linux”

  1. Thanks for the article. I wasn’t aware of that command.

 Leave a Reply

(required)

(required)


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>