May | 2018 | Adam's Tech Blog

Linux: How to Enable Password Aging in Linux

May 11, 2018 / 1 Comment

It’s a good security practice to enforce password aging. This helps to prevent unauthorized system access using your credentials. Bad actors can obtain your credentials from a data dump from a previous attack on your network, or from another website or service you may have used. It’s important to note that you should never use common passwords and you should adopt the discipline of using a password management tool.

The logins.defs file

The file located at /etc/login.defs defines the default configuration for various account properties on your Linux system. Multiple user management commands such as “useradd” and others read defaults from this file.

For this example, we will add a few options to our login.defs file, which will enforce password aging.

Open your favorite editor (like vi) and drop the following lines at the bottom of the file:

PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 7

The PASS_MAX_DAYS option sets the maximum time for a password to 90 days. After 90 days, the password is required to be changed. The second line, PASS_MIN_DAYS, sets the minimum days before a user can change the password again.

Please note, changing the login.defs file only impacts new user creation. To change existing users, use the chage command as outlined in How to Check (and change) User Password Expiration.

Linux: How to Check (and change) User Password Expiration

May 11, 2018 / 0 Comments

If you currently utilize password expiration that’s built in to Linux, you may have an account that’s locked out or about to be locked out. How would you check to see if a given user account is locked out?

To do this, use the chage command. This command can display information about when the password will expire as well as change the expiry time.

Checking the Expiry Information

To check the expiry information, use the chage command like this:

# chage -l username
Last password change : Aug 31, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

The output of chage shows us the last password change, when the password will expire and more.

Changing the Expiry Time

If you would like to set the expiry time of a given users password to “never”, use the following command:

# chage -M -1 username

To set a specific maximum days before the password is required to be changed, use the following command:

# chage -M 90 username

For more information about configuring password aging for all users, see How to Enable Password Aging in Linux.