In this tutorial, you will learn to set password expiration policies for Linux users, as well as manually lock and unlock user accounts. Implemented password aging and expiration features to ensure better protection of user accounts.
How password authentication works
When a user attempts to log in, the system looks for that user’s entry in that window. / etc / shadow File that combines the user’s password with the unencrypted password entered and encrypts it using the specified hash algorithm. If the result matches the encrypted hash, the user enters the correct password. If the result does not match the encrypted hash, the user entered the wrong password and the login attempt failed.
You will learn:
- Force password change on first login.
- Force password change every time X Days.
- Set user account expiration X A few days from the day.
Before starting, I will create a user account for this exercise.
sudo useradd user1 sudo passwd user1
You will learn about other user actions with examples.
Exercise 1: Force a password change on first login
To force a password change for the first time logged in user, use the following command:
sudo chage -d 0 user1
If you log in as user1, you will be prompted to change your password.
$ ssh [email protected] Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. [email protected]'s password: You are required to change your password immediately (administrator enforced) Last login: Wed Feb 12 06:48:43 2020 from ::1 WARNING: Your password has expired. You must change your password now and login again! Changing password for user user1. Current password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to localhost closed.
You can now log in with your updated password.
ssh [email protected] Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. [email protected]'s password: Last login: Wed Feb 12 06:48:53 2020 from ::1 [[email protected] ~]$ exit logout Connection to localhost closed.
Exercise 2: Change the user’s password policy
Now we set up a password policy that requires each user to enter a new password 90 days.
sudo chage -M 90 user1
Confirm that the password policy is set successfully.
$ sudo chage -l user1 Last password change : Feb 12, 2020 Password expires : May 12, 2020 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
Exercise 3: Set the user account to expire in X days
We will set User 1 Account expired 120 A few days from the day.
Get the date and time 120 days from the current date:
$ date -d "+120 days" +%F 2020-06-11
Now set your account to expire on the date shown above.
sudo chage -E 2020-06-11 user1
Verify that the account expiration date was successfully set:
$ sudo chage -l user1 Last password change : Feb 12, 2020 Password expires : May 12, 2020 Password inactive : never Account expires : Jun 11, 2020 Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
Exercise 4: Lock and unlock user accounts
Locking an account prevents users from using the system password for authentication. The usermod command can be used to lock accounts with the -L option.
sudo usermod -L user1
$ su - user1 Password: su: Authentication failure
The account can be unlocked later with usermod -U Command options.
sudo usermod -U user1
As a system administrator, you can lock and terminate accounts with a usermod command. This is ideal for former employees.
sudo usermod -L -e 2020-02-20 user1
Date must be in days since 1970-01-01 or YYYY-MM-DD format.
Exercise 5: Set password policies for all users
Set all user passwords to expire 90 The number of days from the current date. Editing the file /etc/login.defs requires administrative permissions.
sudo vim /etc/login.defs
Set PASS_MAX_DAYS to 90.
It should look like this:
All password aging parameters you can configure are:
- PASS_MAX_DAYS The maximum number of days that a password can be used.
- PASS_MIN_DAYS The minimum number of days allowed between password changes.
- PASS_MIN_LEN The minimum acceptable password length.
- PASS_WARN_AGE The number of warning days given before the password expires.
When you edit the file /etc/login.defs, the default password and account expiration settings will work for new users, but not for existing users.
- How to invalidate user password on Linux first login
- Set user password policy in Linux
- Set user password to expire on Linux in X days
- How to lock a user account in Linux
- How to unlock user accounts on Linux