In this tutorial, you’ll learn to set a password expiry policy for Linux users, as well as manually lock and unlock user accounts. The password aging and expiration features were implemented to ensure better security of user accounts.

How Password Verification works

When a user tries to log in, the system looks up the entry for the user in the /etc/shadow file, combines the salt for the user with the unencrypted password that was typed in, and encrypts them using the hashing algorithm specified. If the result matches the encrypted hash, the user typed in the right password. If the result does not match the encrypted hash, the user typed in the wrong password and the login attempt fails.

You’ll learn to:

  • Force a password change on the first time login.
  • Force a password change every X number of days.
  • Set a user account to expire X days from the current day.

Before we get started, I’ll create a user account for this exercise.

sudo useradd user1
sudo passwd  user1

You’ll learn about other user operations with examples.

Exercise 1: Force a password change on the first login

To force a password change for the user on first login, use the command:

sudo chage -d 0 user1

If you log in as user1, you’ll be prompted to change the password.

$ ssh [email protected]
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
[email protected]'s password: 
You are required to change your password immediately (administrator enforced)
Last login: Wed Feb 12 06:48:43 2020 from ::1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user1.
Current password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
Connection to localhost closed.

You can now login with updated password.

ssh [email protected]
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Last login: Wed Feb 12 06:48:53 2020 from ::1
[[email protected] ~]$ exit
logout
Connection to localhost closed.

Exercise 2: Change the password policy for user

Let’s now set a password policy to require a new password every 90 days.

sudo chage -M 90 user1

Confirm that the password policy is successfully set.

$ sudo chage -l user1
Last password change : Feb 12, 2020
Password expires : May 12, 2020
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7

Exercise 3: Set user account to expire after X number of days

We’ll set the user1 account to expire 120 days from the current day.

Get the date and time 120 days from the current:

$ date -d "+120 days" +%F
2020-06-11

Now set the account to expire on the date displayed above.

sudo chage -E 2020-06-11 user1

Verify that the account expiry date is successfully set:

$ sudo chage -l user1
Last password change					: Feb 12, 2020
Password expires					: May 12, 2020
Password inactive					: never
Account expires						: Jun 11, 2020
Minimum number of days between password change		: 0
Maximum number of days between password change		: 90
Number of days of warning before password expires	: 7

Exercise 4: Lock & Unlock user account

Locking the account prevents the user from authenticating with a password to the system. The usermod command can be used to lock an account with the -L option.

sudo usermod -L user1

Confirm:

$ su - user1
Password: 
su: Authentication failure

The account can later be unlocked with usermod -U command option.

sudo usermod -U user1

As a System administrator, you may lock and expire an account with a single usermod command. This is ideal for exited employees.

sudo usermod -L -e 2020-02-20 user1

The date must be given as the number of days since 1970-01-01, or in the YYYY-MM-DD format.

Exercise 5: Set password policy for all users

Set the password for all users to expire 90 days from the current date. Administrative rights are required to edit the file /etc/login.defs.

sudo vim /etc/login.defs

Set PASS_MAX_DAYS to 90.

PASS_MAX_DAYS   90

It should look like this:

All password aging parameters you can configure are:

  • PASS_MAX_DAYS Maximum number of days a password may be used.
  • PASS_MIN_DAYS Minimum number of days allowed between password changes.
  • PASS_MIN_LEN Minimum acceptable password length.
  • PASS_WARN_AGE Number of days warning given before a password expires.

When you edit the file /etc/login.defs, the default password and account expiry settings will be effective for new users but not for existing users.

Tags:

  • How to expire user password on first login in Linux
  • Set user password policy in Linux
  • Set user password to expire in X days on Linux
  • How to lock user account in Linux
  • How to unlock user account on Linux