Configure user password aging / expiration policy in Linux

In this tutorial, you will learn to set password expiration policies for Linux users, as well as manually lock and unlock user accounts. Implemented password aging and expiration features to ensure better protection of user accounts.

How password authentication works

When a user attempts to log in, the system looks for that user’s entry in that window. / etc / shadow File that combines the user’s password with the unencrypted password entered and encrypts it using the specified hash algorithm. If the result matches the encrypted hash, the user enters the correct password. If the result does not match the encrypted hash, the user entered the wrong password and the login attempt failed.

You will learn:

  • Force password change on first login.
  • Force password change every time X Days.
  • Set user account expiration X A few days from the day.

Before starting, I will create a user account for this exercise.

                      
                        sudo useradd user1
sudo passwd  user1
                      
                    

You will learn about other user actions with examples.

Exercise 1: Force a password change on first login

To force a password change for the first time logged in user, use the following command:

                      
                        sudo chage -d 0 user1
                      
                    

If you log in as user1, you will be prompted to change your password.

                      $ 
                      
                        ssh [email protected]
                      
                      
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
[email protected]'s password: 
You are required to change your password immediately (administrator enforced)
Last login: Wed Feb 12 06:48:43 2020 from ::1

                      
                        WARNING: Your password has expired.
                      
                      
You must change your password now and login again!

                      
                        Changing password for user user1.
                      
                      
Current password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
Connection to localhost closed.
                    

You can now log in with your updated password.

                      
                        ssh [email protected]
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Last login: Wed Feb 12 06:48:53 2020 from ::1
[[email protected] ~]$ exit
logout
Connection to localhost closed.
                      
                    

Exercise 2: Change the user’s password policy

Now we set up a password policy that requires each user to enter a new password 90 days .

                      
                        sudo chage -M 90 user1
                      
                    

Confirm that the password policy is set successfully.

                      $ 
                      
                        sudo chage -l user1
                      
                      
Last password change : Feb 12, 2020
Password expires : 
                      
                        May 12, 2020
                      
                      
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
                    

Exercise 3: Set the user account to expire in X days

We will set User 1 Account expired 120 A few days from the day.

Get the date and time 120 days from the current date:

                      $ 
                      
                        date -d "+120 days" +%F
                      
                      
2020-06-11
                    

Now set your account to expire on the date shown above.

                      
                        sudo chage -E 2020-06-11 user1
                      
                    

Verify that the account expiration date was successfully set:

                      
                        $ sudo chage -l user1
Last password change					: Feb 12, 2020
Password expires					: May 12, 2020
Password inactive					: never
Account expires						: Jun 11, 2020
Minimum number of days between password change		: 0
Maximum number of days between password change		: 90
Number of days of warning before password expires	: 7
                      
                    

Exercise 4: Lock and unlock user accounts

Locking an account prevents users from using the system password for authentication. The usermod command can be used to lock accounts with the -L option.

                      
                        sudo usermod -L user1
                      
                    

confirm:

                      
                        $ su - user1
Password: 
su: Authentication failure
                      
                    

The account can be unlocked later with usermod -U Command options.

                      
                        sudo usermod -U user1
                      
                    

As a system administrator, you can lock and terminate accounts with a usermod command. This is ideal for former employees.

                      
                        sudo usermod -L -e 2020-02-20 user1
                      
                    

Date must be in days since 1970-01-01 or YYYY-MM-DD format.

Exercise 5: Set password policies for all users

Set all user passwords to expire 90 The number of days from the current date. Editing the file /etc/login.defs requires administrative permissions.

                      
                        sudo vim /etc/login.defs
                      
                    

Set PASS_MAX_DAYS to 90.

                      
                        PASS_MAX_DAYS   90
                      
                    

It should look like this:

All password aging parameters you can configure are:

  • PASS_MAX_DAYS The maximum number of days that a password can be used.
  • PASS_MIN_DAYS The minimum number of days allowed between password changes.
  • PASS_MIN_LEN The minimum acceptable password length.
  • PASS_WARN_AGE The number of warning days given before the password expires.

When you edit the file /etc/login.defs, the default password and account expiration settings will work for new users, but not for existing users.

label:

  • How to invalidate user password on Linux first login
  • Set user password policy in Linux
  • Set user password to expire on Linux in X days
  • How to lock a user account in Linux
  • How to unlock user accounts on Linux

Related Posts