If you think that the operations about users are only: creation, deletion and change of the passwords you are in error, in the standard GNU/Linux system about authentication and authorization of users there are some interesting flags regarding the age of an account.
These parameters are usually ignored, but can be very useful in particular situations, or to help enforce internal policies on the use of personal accounts.
All these parameters are stored in /etc/shadow can be viewed and modified with the command chage
chage
chage changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change her password. The chage command is restricted to the root user, except for the -l option, which may be used by an unprivileged user to determine when her password or account is due to expire.
Basic Syntax:
chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user
Options: -d, --lastday LAST_DAY set date of last password change to LAST_DAY -E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE -h, --help display this help message and exit -I, --inactive INACTIVE set password inactive after expiration to INACTIVE -l, --list show account aging information -m, --mindays MIN_DAYS set minimum number of days before password change to MIN_DAYS -M, --maxdays MAX_DAYS set maximim number of days before password change to MAX_DAYS -W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS |
Typical characteristics of a user on a desktop:
# chage -l linuxaria Last password change : Jan 09, 2011 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7 |
Basically you have the information on the day of the last password change and all the others flags are not set.
Changing password
If i change my password today i’ll get :
# chage -l linuxaria Last password change : Jul 25, 2011 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7 |
Set the max number of days for a password
My company has a policy about users, they must change their own password every 90 days (don’t ask me if i like it or if i think it’s useful, please), so every user on our servers has something like that:
#chage -M 90 linuxaria # chage -l linuxaria Last password change : Jul 25, 2011 Password expires : Oct 23, 2011 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7 |
I’ve changed my desktop user with the -M flag; and now there are 2 changes:
Password expires has now a value and Maximum number of days between password change is now set at 90
Now that we have an expiration date becomes important the value of “Number of days of warning before password expires”, which by default is set to 7, this means that if I connect to a server 4 days before the expire date I will get something like this:
# ssh linuxaria@myserver linuxaria@myserver's password: Warning: your password will expire in 4 days |
if you don’t change the password before the expire date you’ll be forced, to change it, by the system in the the login phase, unless you have set also a password inactive value, this value tells to the system that if you don’t change your password after X days after it’s expired the account must be locked.
In the example this value it’s set to never.
Set an expiration date
I’ve used this option in the past, it’s useful when you have an external that must login to your system for 1 week or month, and you want to be sure that after a certain date he cannot login anymore, this flag help you set this date from the creation phase, so you’ll not have to remember to close the account manually.
# chage -E "2011-07-31" linuxaria # chage -l linuxaria Last password change : Jul 25, 2011 Password expires : Oct 23, 2011 Password inactive : never Account expires : Jul 31, 2011 Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7 |
In this example my account will not work anymore after 31 Jul 2011.
A user whose account is locked must contact the system administrator before being able to use the system again.
Remove the limitations
Ok, it’s now time to return to the original setup for my username:
-m 0 will set the minimum number of days between password change to 0
-M 99999 will set the maximum number of days between password change to 99999
-I -1 will set the “Password inactive” to never
-E -1 will set “Account expires” to never.
# chage -m 0 -M 99999 -I -1 -E -1 linuxaria # chage -l linuxaria Last password change : Jul 25, 2011 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7 |
Popular Posts:
- None Found
Thanks for the article. I wasn’t aware of that command.