In Linux systems, user accounts can expire based on password expiration, account expiration dates, or inactivity policies. When an account expires, you may encounter login failures and restricted access to system resources.
Table of Contents
What Does “Account Expired” Mean?
An expired account occurs when:
- The system date surpasses the account’s expiration date set in
/etc/shadow - The password has expired and mandatory password change is enforced
- The account has been disabled or locked by an administrator
- The inactivity timeout period has been exceeded
Common Error Messages {#error-messages}
Standard Error Messages
When your account expires, you might see these messages:
Your account has expired. Please contact your system administrator.
Your account or password has expired.
Authentication token manipulation error
Password expired (status 1)
User account has expired
Login Attempt Output
$ ssh user@hostname
user@hostname's password:
Your account has expired. Please contact your system administrator.
Connection closed by authenticating user.
How to Check Account Expiration {#check-expiration}
Method 1: Using chage Command (Most Direct)
chage -l username
Example Output:
Last password change : Nov 01, 2025
Password expires : Dec 01, 2025
Password inactive : Jan 15, 2026
Account expires : Nov 05, 2025
Minimum number of days between changes : 0
Maximum number of days between changes : 30
Number of days of warning before expiry : 7
Method 2: Using finger Command
finger username
Example Output:
Login: user Name: Test User
Directory: /home/user Shell: /bin/bash
Last login never
No mail.
Method 3: Checking /etc/shadow Directly (Root)
sudo cat /etc/shadow | grep username
Format Explanation:
username:password:lastchange:min:max:warn:inactive:expire:reserved
- expire field: Days since Jan 1, 1970. If -1 or blank, account never expires
Example:
user:$6$rounds=656000$xyz...:18980:0:30:7:10:18984:
Convert epoch days to date:
date -d @$((18984 * 86400))
# Output: Fri Nov 05 2025 00:00:00 UTC
Method 4: Using getent Command
getent shadow username
Method 5: Using lastlog Command
lastlog -u username
Resolving the Issue {#resolving}
For End Users
Option 1: Contact Your System Administrator
If you don’t have root access, ask your administrator to:
# Admin runs:
sudo chage -E -1 username # Disable expiration
# OR
sudo chage -E 2026-12-31 username # Set new expiration date
Option 2: Reset Your Password (If Permitted)
passwd
This may reset the expiration timer if policies are configured.
See also: Mastering the Linux Command Line — Your Complete Free Training Guide
For System Administrators
Disable Account Expiration
# Disable expiration for specific user
sudo chage -E -1 username
# Verify the change
sudo chage -l username
Set New Expiration Date
# Set expiration to specific date
sudo chage -E 2026-12-31 username
# Set expiration to 90 days from now
sudo chage -E $(date -d "+90 days" +%Y-%m-%d) username
Reset Password Expiration
# Force immediate password change on next login
sudo chage -d 0 username
# Set password validity to 90 days
sudo chage -M 90 username
# Set password expiration warning to 7 days
sudo chage -W 7 username
Set Inactivity Period
# Disable account after 30 days of inactivity
sudo chage -I 30 username
Comprehensive Account Reset
sudo chage -d $(date +%Y-%m-%d) -M 90 -m 1 -W 7 -I 30 -E -1 username
Preventing Future Expiration {#preventing}
1. Monitor Account Expiration
Create a script to alert before expiration:
#!/bin/bash
# check_expiration.sh
USERNAME=$1
WARN_DAYS=14
if [ -z "$USERNAME" ]; then
echo "Usage: $0 username"
exit 1
fi
EXPIRE=$(sudo chage -l "$USERNAME" | grep "Account expires" | awk -F': ' '{print $2}')
EXPIRE_DATE=$(date -d "$EXPIRE" +%s)
TODAY=$(date +%s)
DAYS_LEFT=$(( ($EXPIRE_DATE - $TODAY) / 86400 ))
if [ $DAYS_LEFT -lt $WARN_DAYS ]; then
echo "WARNING: Account $USERNAME expires in $DAYS_LEFT days!"
fi
2. Set Default Policies
Edit /etc/login.defs:
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_WARN_AGE 7
3. Configure PAM (Pluggable Authentication Modules)
Edit /etc/pam.d/common-password:
password requisite pam_pwquality.so retry=3
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yesagain sha512 shadow
4. Automated Account Management
Use cron jobs for regular updates:
# /etc/cron.daily/update_account_expiry
#!/bin/bash
# Reset critical accounts
sudo chage -E -1 root
sudo chage -E -1 sysadm
Summary
| Action | Command |
|---|---|
| Check expiration | chage -l username |
| Disable expiration | sudo chage -E -1 username |
| Set expiration date | sudo chage -E 2026-12-31 username |
| View shadow file | sudo cat /etc/shadow |
| Force password change | sudo chage -d 0 username |
| Set max password age | sudo chage -M 90 username |
| Set warning period | sudo chage -W 7 username |
References
- Man Pages:
man chageman shadowman login.defsman pam
- Related Files:
/etc/shadow– User password information/etc/login.defs– Login configuration/etc/pam.d/– PAM configurations/var/log/auth.log– Authentication logs
FAQ chage command
What is the chage command used for?
The chage command is utilized in Linux to modify the expiration parameters of user accounts, including password aging and expiration settings. It enables administrators to set rules for password changes, inactivity periods, expiration dates, and more.
What’s the difference between chage and passwd commands?
While both commands manage user passwords, chage focuses on setting password aging parameters (expiration, inactivity periods) without changing the password itself. Passwd is used primarily to change or set user passwords directly.
Can I force a user to change their password at the next login using chage?
Yes, you can use chage -d 0 username to set the last password change date to 0, effectively requiring the user to change their password upon the next login.
How to make Linux user password never expire
