Linux: How to Enable Password Aging in Linux

May 11, 2018 / 1 Comment

It’s a good security practice to enforce password aging. This helps to prevent unauthorized system access using your credentials. Bad actors can obtain your credentials from a data dump from a previous attack on your network, or from another website or service you may have used. It’s important to note that you should never use common passwords and you should adopt the discipline of using a password management tool.

The logins.defs file

The file located at /etc/login.defs defines the default configuration for various account properties on your Linux system. Multiple user management commands such as “useradd” and others read defaults from this file.

For this example, we will add a few options to our login.defs file, which will enforce password aging.

Open your favorite editor (like vi) and drop the following lines at the bottom of the file:

PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 7

The PASS_MAX_DAYS option sets the maximum time for a password to 90 days. After 90 days, the password is required to be changed. The second line, PASS_MIN_DAYS, sets the minimum days before a user can change the password again.

Please note, changing the login.defs file only impacts new user creation. To change existing users, use the chage command as outlined in How to Check (and change) User Password Expiration.

Comments

  1. Rob Welton
    August 10, 2018 - 6:01 pm

    Your blog is the best! Such win!

Leave a Reply

Your email address will not be published / Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.