In this tutorial, you’ll learn to configure password aging and expiry policy for Linux users, as well as manually lock and unlock user accounts. The password aging and expiration features were implemented to ensure better security of user accounts.
How Password Verification works
When a user tries to log in, the system looks up the entry for the user in the /etc/shadow file, combines the salt for the user with the unencrypted password that was typed in, and encrypts them using the hashing algorithm specified. If the result matches the encrypted hash, the user typed in the right password. If the result does not match the encrypted hash, the user typed in the wrong password and the login attempt fails.
You’ll learn to:
- Force a password change on the first time login.
- Force a password change every X number of days.
- Set a user account to expire X days from the current day.
Before we get started, I’ll create a user account for this exercise.
sudo useradd user1 sudo passwd user1
You’ll learn about other user operations with examples.
Exercise 1: Force a password change on the first login
To force a password change for the user on first login, use the command:
sudo chage -d 0 user1
If you log in as user1, you’ll be prompted to change the password.
$ ssh [email protected] Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. [email protected]'s password: You are required to change your password immediately (administrator enforced) Last login: Wed Feb 12 06:48:43 2020 from ::1 WARNING: Your password has expired. You must change your password now and login again! Changing password for user user1. Current password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to localhost closed.
You can now login with updated password.
ssh [email protected] Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. [email protected]'s password: Last login: Wed Feb 12 06:48:53 2020 from ::1 [[email protected]st ~]$ exit logout Connection to localhost closed.
Exercise 2: Change the password policy for user
Let’s now set a password policy to require a new password every 90 days.
sudo chage -M 90 user1
Confirm that the password policy is successfully set.
$ sudo chage -l user1 Last password change : Feb 12, 2020 Password expires : May 12, 2020 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
Exercise 3: Set user account to expire after X number of days
We’ll set the user1 account to expire 120 days from the current day.
Get the date and time 120 days from the current:
$ date -d "+120 days" +%F 2020-06-11
Now set the account to expire on the date displayed above.
sudo chage -E 2020-06-11 user1
Verify that the account expiry date is successfully set:
$ sudo chage -l user1 Last password change : Feb 12, 2020 Password expires : May 12, 2020 Password inactive : never Account expires : Jun 11, 2020 Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
Exercise 4: Lock & Unlock user account
Locking the account prevents the user from authenticating with a password to the system. The usermod command can be used to lock an account with the -L option.
sudo usermod -L user1
$ su - user1 Password: su: Authentication failure
The account can later be unlocked with usermod -U command option.
sudo usermod -U user1
As a System administrator, you may lock and expire an account with a single usermod command. This is ideal for exited employees.
sudo usermod -L -e 2020-02-20 user1
The date must be given as the number of days since 1970-01-01, or in the YYYY-MM-DD format.
Exercise 5: Set password policy for all users
Set the password for all users to expire 90 days from the current date. Administrative rights are required to edit the file /etc/login.defs.
sudo vim /etc/login.defs
Set PASS_MAX_DAYS to 90.
It should look like this:
All password aging parameters you can configure are:
- PASS_MAX_DAYS Maximum number of days a password may be used.
- PASS_MIN_DAYS Minimum number of days allowed between password changes.
- PASS_MIN_LEN Minimum acceptable password length.
- PASS_WARN_AGE Number of days warning given before a password expires.
When you edit the file /etc/login.defs, the default password and account expiry settings will be effective for new users but not for existing users.
- Configure user password aging in Linux
- How to expire user password on first login in Linux
- Set user password policy in Linux
- Set user password to expire in X days on Linux
- How to lock user account in Linux
- How to unlock user account on Linux