Configure user password aging / expiration policy in Linux

In this tutorial, you will learn to set password expiration policies for Linux users, as well as manually lock and unlock user accounts. Implemented password aging and expiration features to ensure better protection of user accounts.

How password authentication works

When a user attempts to log in, the system looks for that user’s entry in that window. / etc / shadow File that combines the user’s password with the unencrypted password entered and encrypts it using the specified hash algorithm. If the result matches the encrypted hash, the user enters the correct password. If the result does not match the encrypted hash, the user entered the wrong password and the login attempt failed.

You will learn:

  • Force password change on first login.
  • Force password change every time X Days.
  • Set user account expiration X A few days from the day.

Before starting, I will create a user account for this exercise.

sudo useradd user1
sudo passwd  user1

You will learn about other user actions with examples.

Exercise 1: Force a password change on first login

To force a password change for the first time logged in user, use the following command:

sudo chage -d 0 user1

If you log in as user1, you will be prompted to change your password.

$ ssh [email protected]
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
[email protected]'s password: 
You are required to change your password immediately (administrator enforced)
Last login: Wed Feb 12 06:48:43 2020 from ::1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user1.
Current password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
Connection to localhost closed.

You can now log in with your updated password.

ssh [email protected]
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Last login: Wed Feb 12 06:48:53 2020 from ::1
[[email protected] ~]$ exit
logout
Connection to localhost closed.

Exercise 2: Change the user’s password policy

Now we set up a password policy that requires each user to enter a new password 90 days.

sudo chage -M 90 user1

Confirm that the password policy is set successfully.

$ sudo chage -l user1
Last password change : Feb 12, 2020
Password expires : May 12, 2020
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7

Exercise 3: Set the user account to expire in X days

We will set User 1 Account expired 120 A few days from the day.

Get the date and time 120 days from the current date:

$ date -d "+120 days" +%F
2020-06-11

Now set your account to expire on the date shown above.

sudo chage -E 2020-06-11 user1

Verify that the account expiration date was successfully set:

$ sudo chage -l user1
Last password change					: Feb 12, 2020
Password expires					: May 12, 2020
Password inactive					: never
Account expires						: Jun 11, 2020
Minimum number of days between password change		: 0
Maximum number of days between password change		: 90
Number of days of warning before password expires	: 7

Exercise 4: Lock and unlock user accounts

Locking an account prevents users from using the system password for authentication. The usermod command can be used to lock accounts with the -L option.

sudo usermod -L user1

confirm:

$ su - user1
Password: 
su: Authentication failure

The account can be unlocked later with usermod -U Command options.

sudo usermod -U user1

As a system administrator, you can lock and terminate accounts with a usermod command. This is ideal for former employees.

sudo usermod -L -e 2020-02-20 user1

Date must be in days since 1970-01-01 or YYYY-MM-DD format.

Exercise 5: Set password policies for all users

Set all user passwords to expire 90 The number of days from the current date. Editing the file /etc/login.defs requires administrative permissions.

sudo vim /etc/login.defs

Set PASS_MAX_DAYS to 90.

PASS_MAX_DAYS   90

It should look like this:

Configure user password aging / expiration policy in Linux

All password aging parameters you can configure are:

  • PASS_MAX_DAYS The maximum number of days that a password can be used.
  • PASS_MIN_DAYS The minimum number of days allowed between password changes.
  • PASS_MIN_LEN The minimum acceptable password length.
  • PASS_WARN_AGE The number of warning days given before the password expires.

When you edit the file /etc/login.defs, the default password and account expiration settings will work for new users, but not for existing users.

label:

  • How to invalidate user password on Linux first login
  • Set user password policy in Linux
  • Set user password to expire on Linux in X days
  • How to lock a user account in Linux
  • How to unlock user accounts on Linux
Sidebar