To ensure a user’s password never expires in Linux, leverage the chage command—a tool specifically designed for altering user password expiration settings.
As a root user, execute the following command:
chage -I -1 -m 0 -M 99999 -E -1 <username>
Replace <username> in the command with the actual username.
Breaking down this command:
- chage: Command for modifying user password expiry details.
- -I -1: Sets the ‘Inactivity period’ of the password to -1, disabling inactivity-based password expiration.
- -m 0: Defines the minimum days between password changes as 0, enabling password modification at any time.
- -M 99999: Specifies the maximum days a password remains valid; 99999 effectively disables password expiration.
- -E -1: Establishes the account lock date or days since Jan 1, 1970. Setting it to -1 disables the account lock feature.
In essence, this command deactivates password aging for the user, eliminating forced password changes due to expiration.
Table of Contents
Introduction
Password expiration is a common security practice in Linux systems to ensure that user credentials are regularly updated.
However, there are legitimate scenarios where you might need to set a password to never expire—such as for system accounts, service accounts, automation scripts, or batch processes that require uninterrupted access.
This guide walks you through the various methods to disable password expiration for a specific user in Linux.
Understanding Password Aging in Linux
Before diving into the solutions, it’s important to understand how Linux manages password expiration:
- Password aging is controlled through the
/etc/shadowfile, which stores password expiration information for each user - Linux provides several tools to manage password expiration, with
chagebeing the most user-friendly - Password expiration settings are independent of account expiration, though both can be managed together
Method 1: Using the chage Command (Recommended)
The chage command is the standard utility for managing user password aging and expiration in Linux. It provides an easy way to set password expiration parameters.
See also: Mastering the Linux Command Line — Your Complete Free Training Guide
The Complete Command
To make a user’s password never expire, run:
sudo chage -I -1 -m 0 -M 99999 -E -1 <username>
Replace <username> with the actual Linux username.
Understanding the Options
Here’s what each flag does:
| Option | Value | Description |
|---|---|---|
-I | -1 | Disables inactivity expiration (password doesn’t expire due to inactivity) |
-m | 0 | Sets minimum password age to 0 (allows changing password anytime) |
-M | 99999 | Sets maximum password age to 99999 days (effectively never expires) |
-E | -1 | Disables account expiration (the account itself never expires) |
Example
To set the password for user appuser to never expire:
sudo chage -I -1 -m 0 -M 99999 -E -1 appuser
Verifying the Settings
After running the command, verify that the settings have been applied correctly:
sudo chage -l appuser
You should see output similar to:
Last password change : Nov 06, 2025
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between changes : 0
Maximum number of days between changes : 99999
Number of days of warning before expiry : 7
Method 2: Using Individual chage Flags
If you prefer to set options separately or incrementally, you can use individual chage commands:
Set Maximum Password Age to Never
sudo chage -M -1 <username>
The -M -1 flag specifically sets the maximum password age to -1, which effectively means the password never expires.
Set Account Expiration to Never
sudo chage -E -1 <username>
Set Inactivity Period to Never
sudo chage -I -1 <username>
Method 3: Using the passwd Command
The passwd command offers a simpler alternative for setting password expiration:
sudo passwd -x -1 <username>
- The
xflag specifies the maximum number of days a password is valid - Setting it to
-1means the password never expires
Example
sudo passwd -x -1 john
Method 4: Editing /etc/shadow Directly
Note: This method is not recommended for most users as it’s error-prone, but it’s useful to understand the underlying mechanism.
The /etc/shadow file contains password expiration information in fields 5, 6, 7, and 8:
username:password_hash:last_change:min_age:max_age:warning:inactivity:account_expiration:reserved
To make a password never expire by editing /etc/shadow:
- Open the file with a text editor (requires root):
sudo nano /etc/shadow - Find the user’s line and modify the fields:
- Field 5 (max_age): Set to
1or a very large number like99999 - Field 7 (inactivity): Set to
1 - Field 8 (account_expiration): Set to
1
- Field 5 (max_age): Set to
- Example line (before):
john:$6$...hash...:19500:0:90:7:30:19999: - Example line (after):
john:$6$...hash...:19500:0:-1:-1:-1:-1:
Always use chage or passwd instead of manual editing to avoid syntax errors.
Practical Examples
Example 1: Set Password to Never Expire for a Service Account
sudo chage -M -1 mysql_user
Example 2: Configure Multiple Settings at Once
sudo chage -m 0 -M -1 -I -1 -E -1 jenkins_user
Example 3: Remove Expiration from Multiple Users
for user in appuser serviceaccount jenkins; do
sudo chage -M -1 $user
done
Security Considerations
⚠️ Important: Setting passwords to never expire has security implications:
When It’s Appropriate
- System accounts (e.g.,
mysql,postgres) - Service accounts that run automated tasks
- Batch processing accounts
- Test/development environments
When It’s Inappropriate
- Regular user accounts with human users
- Administrative accounts
- Development accounts in production
- Any account used by a person with elevated privileges
Best Practices
- Document the decision: Keep records of which accounts have non-expiring passwords and why
- Use strong passwords: Compensate for non-expiration with complex, strong passwords
- Monitor accounts: Regularly audit which accounts have expiration disabled
- Implement other controls: Use SSH keys, access controls, and logging to enhance security
- Review periodically: Schedule quarterly reviews to ensure non-expiring passwords are still necessary
Troubleshooting Common Issues
“Permission denied” Error
Solution: Ensure you’re running the command with sudo:
sudo chage -M -1 username
User Doesn’t Exist Error
Solution: Verify the username exists:
id username
Changes Don’t Take Effect
Solution: Verify the changes were applied:
sudo chage -l username
Need to Restore Default Expiration
Solution: Re-enable expiration with:
sudo chage -M 90 username # Password expires after 90 days
Checking Current Password Policy
To view the current password settings for a user:
sudo chage -l <username>
This displays all password aging information, including:
- Last password change date
- Password expiration date (or “never”)
- Password inactive status
- Account expiration status
- Days between password changes allowed
Advanced: Setting System-Wide Defaults
To set default password expiration policies for all new users, edit /etc/login.defs:
sudo nano /etc/login.defs
Look for these lines and adjust as needed:
PASS_MAX_DAYS 99999 # Maximum days password is valid
PASS_MIN_DAYS 0 # Minimum days between password changes
PASS_WARN_AGE 7 # Warning days before expiration
Conclusion
Making a Linux user’s password never expire is straightforward using the chage command. While the process is simple, it’s important to carefully consider the security implications and only apply it to accounts that truly need it. Always document these changes and review them periodically to maintain a secure system.
Quick Reference:
# Make password never expire
sudo chage -M -1 username
# Verify settings
sudo chage -l username
By following this guide, you can effectively manage password expiration policies in your Linux environment while maintaining security best practices.
2 ways to check user password expiration date in Linux
Change user password in Linux with passwd command
