Have you logged in through SSH to remote servers with the brand new given UNIX account in your company just to be prompted for your current Password immediately after logging and forced to change your password?
The smart sysadmins or security officers use this trick for many years to make sure the default set password for new user is set to a smarter user to prevent default password leaks which might later impose a severe security risk for a company Demiliterized networks confidential data etc.
If you haven't seen it yet and you're in the beautiful world of UNIX / Linux as a developer qa tester or sysadmin sooner or later you will face it.
Here of course I'm talking about plain password local account authentication using user / pass credentials stored in /etc/passwd or /etc/shadow.
Lets Say hello to the main command chage that is used to do this sysadmin trick.
chage command is used to change user password expiry information and set and alter password aging parameters on user accounts.
1. Force chage to make password expire on next user login for a new created user
# chage -d 0 {user-name}
Below is a real life example
2. Get information on when account expires
[hipo@linux ~]$ chage -l hipo
Last password change : Apr 03, 2020
Password expires : Jul 08, 2020
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 14
3. Use chage to set user account password expiration
The most straight forward way to set an expiration date for an active user acct is with:
# chage -E 2020-08-16 username
To make the account get locked automatically if the password has expired and the user did not logged in to it for 2 days after its expiration.
# chage -I 2 username
– Set Password expire with Minimum days 7 (-n mindays 7), (-x maxdays 28) and (-w warndays 5)
# passwd -n 7 -x 28 -w 5 username
To check the passwod expiration settings use list command:
# chage -l username
Last password change : юни 18, 2020
Password expires : юли 16, 2020
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 28
Number of days of warning before password expires : 5
chage is a command is essential sysadmin command that is mentioned in every Learn Linux book out there, however due to its often rare used many people and sysadmins either, don't know it or learn of it only once it is needed.
A note to make here is some sysadmins prefer to use usermod to set a password expire instead of chage.
usermod -e 2020-10-14 username
For those who wonder how to set password expiry on FreeBSD and other BSD-es is done, there it is done via the pw system user management tool as chage is not present there.
A note to make here is chage usually does not provide information for Linux user accounts that are stored in LDAP. To get information of such you can use ldapsearch with a query to the LDAP domain store with something like.
ldapsearch -x -ZZ -LLL -b dc=domain.com,dc=com objectClass=*
It is worthy to mention also another useful command when managing users this is getent used to get entries from Name Service Switch libraries.
getent is useful to get various information from basic /etc/ stored db files such as /etc/services /etc/shadow, /etc/group, /etc/aliases, /etc/hosts and even do some simple rpc queries.