In this blog post, we will discuss two ways to check the password expiration date for users in Linux. The first way is to use the chage command, and the second way is to use the passwd command.
We will also discuss how to change a user’s password expiration date using these commands. Let’s get started!
Understanding user’s password expiration date in Linux
In Linux, each user has a password expiration date set by the administrator. This is the date after which the user will be asked to change their password.
There are a few reasons why you might want to set an expiration date for users in Linux:
- To ensure that passwords are changed on a regular basis (for security purposes)
- To prevent users from using the same password for a long period of time
- To make sure that passwords are not set to never expire (which is not recommended)
The password expiration date is set using the chage command. You can view a user’s password expiration date by running the following command:
$ chage -l username
The user’s password expiration date = user’s Last password change date + Maximum number of days between password changes
We will discuss this more.
When a user’s password expires, they will be prompted to change their password the next time they try to log in. If the user does not change their password, they will not be able to log in.
Check user’s password expiration date with chage command in Linux
The chage command is used to view or change a user’s password expiration date. To use this command, you must be logged in as the root user. You can view a user’s password expiration date by running the following command:
chage -l username
This will output the following information:
Last password change : May 5, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password changes : 0
Maximum number of days between password changes : 99999
Number of days of warning before password expires : 7
The output above shows that the user’s password never expires. Actually, it is not recommended.
Here is another example.
# chage -l test
Last password change : Apr 06, 2022
Password expires : May 06, 2022
Password inactive : Jun 05, 2022
Account expires : Nov 20, 2022
Minimum number of days between password change : 0
Maximum number of days between password change : 30
Number of days of warning before password expires : 7
You can see that the password for the user test would expire on 2022-05-06. That is Last password change date 2022-04-06 + Maximum number of days 30.
To change a user’s password expiration date in Linux, you can use the following command:
chage -M number_of_days username
This will set the user’s password to expire after the specified number of days after the Last password change date. For example, to set a user’s password to expire after 30 days, you would run the following command:
chage -M 30 username
You can also use the chage command to set a user’s account to expire on a specific date. Actually, this command will change the account expiration date, not the password expiration date. They are different.
To do this, you can use the -E flag followed by the date in the YYYY-MM-DD format. For example, to set a user’s account to expire on Nov 20th, 2022, you would run the following command:
chage -E 2022-11-20 username
Here is a shell script to check all the user’s password expiration.
for user in $(cat /etc/passwd |cut -d: -f1); do echo $user; chage -l $user | grep "Password expires"; done | paste -d " " - - | sed 's/Password expires//g'
ladvd : never
test1 : Jun 24, 2023
test2 : Aug 14, 2023
test3 : Sep 05, 2023
Check user’s password expiration date with passwd command in Linux
The passwd -S command is another way to view a user’s password expiration date in Linux. This command will output the status of a user’s account. To use this command, you must be logged in as the root user.
You can view a user’s Last password change date by running the following command:
passwd -S username
This will output the following information:
test PS 2020-05-05 0 99999 7 -1 (Password set, SHA512 crypt.)
The output above shows that the user’s password never expires.
This command will output a short information about the status of the password for a given account. The status information consists of 7 fields.
- The first field is the user’s login name.
- The second field indicates if the user account has a locked password (LK), has no password (NP), or has a usable password (PS).
- The third field gives the date of the last password change.
- The next four fields are the minimum age, maximum age, warning period, and inactivity period for the password. These ages are expressed in days.
Let us see one more example.
test LK 2022-04-06 0 30 7 30 (Password locked.)
The Last password change date for this account is 2022-04-06. The Maximum number of days between password change is 30.
So the user password expiration date here is 2022-04-06 + 30 days. We can use the date command to get this date.
date -d "2022-04-06 30 days" +%Y-%m-%d
2022-05-06
How to force a user to change password in Linux?
If you want to force a user to change their password, you can use the following command:
chage -d 0 username
This will set the password expiration date to 0, which means that the user’s password will expire immediately. They will be prompted to change their password the next time they try to log in.
You can also use this command to disable a user account by setting the expiration date to a date in the past. For example, to disable a user account on May 5th, 2020, you would run the following command:
chage -E 2020-05-05 username
This would set the user’s account expiration date to 2020-05-05, which is in the past. The user would not be able to log in because their account would be expired.
How to set a user’s password to never expire in Linux?
You can use this command to remove a password expiration date. This can be useful if you want to set a user’s password to never expire.
To do this, you would run the following command:
chage -M -1 username
This will set the password expiration date to -1, which means that the password will never expire.
You can also use this command to set a user’s account to never expire. To do this, you would use the -E flag followed by -1. For example:
chage -E -1 username
This will set the account expiration date to -1, which means that the account will never expire.