Managing User Account and Password Expiry with the "chage" Command (with examples)

The “chage” command in Linux allows administrators to manage user account and password expiry information. It provides a range of options to control when a user’s password expires, set an account expiration date, and enforce password changes on the next login. In this article, we will explore different use cases of the “chage” command and provide code examples to illustrate the usage in various scenarios.

Use Case 1: Listing Password Information for a User

The command chage --list username enables administrators to view the password-related information for a specific user. It includes details such as the password expiry date, the date of the last password change, and other account aging information.

Code:

chage --list username

Motivation: This use case is helpful when administrators need to check the expiration status and aging information of a user account. By reviewing the output of this command, administrators can promptly identify if a user’s password is about to expire or if the account requires any attention.

Explanation:

• The --list option is used to list the account aging and password information for the specified user.
• username should be replaced with the actual username of the user.

Example Output:

Last password change					: Aug 12, 2022
Password expires					: Sep 11, 2022
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 7
Maximum number of days between password change		: 30
Number of days of warning before password expires	: 7

Use Case 2: Enabling Password Expiration in a Specific Number of Days

The command sudo chage --maxdays 10 username allows administrators to set a maximum number of days until a user’s password expires. By specifying a value, administrators can enforce password expiration after a specific number of days.

Code:

sudo chage --maxdays 10 username

Motivation: Enabling password expiration adds an additional layer of security by ensuring that users regularly change their passwords, reducing the risk of compromised accounts. This use case is useful when there is a need to enforce periodic password changes.

Explanation:

• The --maxdays option sets the maximum number of days until the password expires.
• The value 10 indicates that the password will expire in ten days.
• username should be replaced with the actual username of the user.

Example Output: No output is displayed for this command. The password expiration date will be updated based on the specified number of days.

Use Case 3: Disabling Password Expiration

The command sudo chage --maxdays -1 username allows administrators to disable password expiration for a specific user. By setting the maximum number of days to -1, the user’s password will no longer expire.

Code:

sudo chage --maxdays -1 username

Motivation: There are scenarios where disabling password expiration is necessary. For example, for service accounts or accounts used by automated processes, it may not be practical or necessary to regularly change passwords. This use case enables administrators to ensure that a specific user’s password does not expire.

Explanation:

• The --maxdays option sets the maximum number of days until the password expires.
• The value -1 indicates that the password expiration is disabled.
• username should be replaced with the actual username of the user.

Example Output: No output is displayed for this command. The password expiration date will be updated to reflect that it is disabled.

Use Case 4: Setting an Account Expiration Date

The command sudo chage --expiredate YYYY-MM-DD username allows administrators to set an expiration date for a user account. After the specified date, the user will no longer be able to log in.

Code:

sudo chage --expiredate 2022-12-31 username

Motivation: Setting an account expiration date can be useful in various scenarios. For example, when an employee is leaving the organization, administrators can set an expiration date to disable access to the user’s account in a timely manner.

Explanation:

• The --expiredate option sets the account expiration date.
• The value YYYY-MM-DD should be replaced with the desired expiration date.
• username should be replaced with the actual username of the user.

Example Output: No output is displayed for this command. The account expiration date will be updated to the specified value.

Use Case 5: Forcing a User to Change Password on Next Login

The command sudo chage --lastday 0 username allows administrators to force a user to change their password during their next login. Upon logging in, the user will be prompted to change their current password.

Code:

sudo chage --lastday 0 username

Motivation: By enforcing a password change on the next login, administrators can ensure that users periodically update their passwords. This is particularly useful when there is a need to immediately strengthen the security of a user account.

Explanation:

• The --lastday option sets the number of days since January 1, 1970, when the password was last changed.
• The value 0 forces the user to change their password immediately.
• username should be replaced with the actual username of the user.

Example Output: No output is displayed for this command. The password change will be enforced during the next login.

In conclusion, the “chage” command provides administrators with the capabilities to manage user account and password expiry information effectively. By exploring the different use cases demonstrated in this article, administrators can enhance security measures, enforce password changes, and control access to user accounts.