Exploring the 'chage' Command for User Account Management (with examples)
- Linux
- December 17, 2024
The chage
command is a powerful tool used to manage user account and password expiration details on Linux systems. It allows administrators to define password aging policies, enforce account security measures, and ensure compliance with organizational or security policies.
Understanding how to use chage
effectively can help in managing user accounts efficiently, ensuring accounts remain secure, and user credentials are updated regularly. Below, we dive into various specific use cases of the chage
command, complete with a detailed explanation and possible scenario applicability.
Use case 1: List password information for the user
Code:
chage --list username
Motivation:
Understanding the current status of a user’s password expiration can be crucial for system administrators. By listing this information, administrators can assess whether a password change is overdue, whether the password expiration policy is being adhered to, and when the next password update is due. Regular checks can enhance security by preventing expired passwords from being used indefinitely.
Explanation:
chage
: This initiates the command used to view or modify aging information.--list
: The argument that specifies the display intent of the current status and configuration of the account’s password aging information.username
: This is a placeholder for the actual username whose password information you intend to check. Replaceusername
with the actual user account name.
Example output:
Last password change : May 01, 2023
Password expires : May 31, 2023
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 30
Number of days of warning before password expires : 5
Use case 2: Enable password expiration in 10 days
Code:
sudo chage --maxdays 10 username
Motivation:
Enabling password expiration forces users to update their passwords regularly, elevating the security posture of the infrastructure. Implementing a reasonable limit, such as 10 days, ensures credentials are updated often, reducing the risk of compromised credentials going unnoticed for extended periods.
Explanation:
sudo
: This prefix allows non-root users to run thechage
command with superuser privileges. Necessary for making changes to user account settings.chage
: The core command enabling modifications to user password attributes.--maxdays
: This specifies the maximum duration, in days, a password can be used before it must be changed.10
: The number of days after which the user’s password will expire and needs to be changed.username
: The target user account whose password expiration setting is being modified.
Example output:
Password maximum age updated for user "username".
Use case 3: Disable password expiration
Code:
sudo chage --maxdays -1 username
Motivation:
There are situations, particularly with service accounts or non-interactive user accounts, where password expiration is undesirable. Disabling password expiration for specific users ensures that critical service accounts remain uninterrupted.
Explanation:
sudo
: Run the command with elevated privileges to change user account settings.chage
: Initiates the password aging command.--maxdays
: Utilized to set the duration for which a password remains valid. Setting it to-1
disables expiration.-1
: Indicates the setting to disable password expiration, preventing the system from ever requiring a password change.username
: Replace with the specific user account for which password expiration is being disabled.
Example output:
Password expiration disabled for user "username".
Use case 4: Set account expiration date
Code:
sudo chage --expiredate YYYY-MM-DD username
Motivation:
Setting an account expiration date can be important in temporary projects, contract-based employment, or when preparing to retire an account. By explicitly setting an expiration date, administrators can smoothly manage account lifecycles and ensure that inactive or unneeded accounts are deactivated automatically.
Explanation:
sudo
: Execute the command with the required administrative privileges.chage
: The command used for user account and password aging management.--expiredate
: This option specifies the date when the user account will be disabled.YYYY-MM-DD
: The specific date format indicating when the account should expire; replace with the actual expiration date.username
: The user account in question, which is being scheduled for expiration.
Example output:
Account will expire on YYYY-MM-DD for user "username".
Use case 5: Force user to change password on next log in
Code:
sudo chage --lastday 0 username
Motivation:
There may be instances where you need to ensure a user updates their password immediately the next time they log in. This is particularly useful after a security breach, a policy update, or when initially setting up an account to ensure the chosen password meets complexity requirements.
Explanation:
sudo
: Provides superuser rights necessary for making adjustments to user accounts.chage
: The command to manage user password settings.--lastday
: This argument sets the “last password change” date.0
: Forces the user’s password to be changed the next time they log in by setting the last change to zero days ago.username
: The specific user account being targeted for this mandatory password update.
Example output:
User "username" must change password at next logon.
Conclusion:
The chage
command is an essential utility for managing user accounts and enforcing security policies regarding password usage and expiration. By correctly utilizing the chage
command, system administrators can enhance security by ensuring passwords are updated frequently, manage account lifecycles efficiently, and ensure compliance with organizational security policies. The examples provided demonstrate the diverse capabilities and allow for appropriate user-based management practices essential in dynamic IT environments.