Keeping track of user accounts is very important, especially as a Linux server administrator. In this episode of Linux Essentials, we’ll explore user and password expiration. This will include examples regarding locking passwords, the chage command, and more!
Thank you to Linode for sponsoring this video. Check them out here and get your very own Linux server set up in minutes!
Before you get started, you’ll need some users to manage. I’ve already gone over user management in a previous episode in the Linux Essentials series, so check that out if you need a refresher on creating and deleting user accounts. For these exercises, it’s probably best to have 2-3 disposable users to play around with.
First, verify that you are able to use the
su command to switch to another user account:
su - neo
If everything works, you should be prompted for the users password. Assuming you entered the correct password, you should now be logged in as the other user. When finished, you can type
exit to return to the user you were using previously.
Back to the original user, let’s configure password expiration for one or more users. To set an expiration date for a user’s password, we will use the
sudo chage -E 2021-10-01 neo
chage command, we have several options we can give the command. One of those is the
-E option, which allows us to set the expire date.
To inspect the details for a user, we can use the
-l option with
chage -l neo
We can see some very important info here, such as the last time the password was changed, when it expires, and so on.
Here’s another example. Suppose you want to set the expiration date for a user:
sudo chage -E 2021-12-15 trinity
I just chose those dates randomly, but the syntax is fairly straight forward when it comes to setting the expiration date.
In addition, you can also set the expiration date by the number of days, rather than by providing a date:
sudo chage -M 30 trinity
-M option allows us to set the days until the password expires.
If you want to remove a password expiration, you can do so by setting the expire date to
sudo chage -E -1 morpheus
Here, we removed the expiration date for
morpheus, so his password won’t expire.
Users are fairly sneaky, to be honest. Some will prefer to use the same password forever, without changing it. Although it’s arguable how much password expiration truly helps security, a user sticking to their old password is often a violation of policy. Generally, what they’ll try to do is change the password, then change it several more times to other variations of the password, and then change it again back to their original password. This effectively bypasses the number of entries in the password history the system checks against, allowing them to use the same password again.
To help combat this, we can set a minimum number of days between password changes. This won’t completely solve the problem, but it makes it far less convenient for someone to try to trick the system into letting them use their old password.
sudo chage -m 7 neo
-m option for sage sets the minimum number of days that must pass before the user will be allowed to change their password. If the system is checking the last ten passwords to make sure their unique, then the eleventh password being the same as the first would be allowed. But with the user set to a minimum days of 7 between password changes, then it would take them eleven weeks to cycle back to the original password. This is one of those things that can help you enforce your company’s password history policy.
There’s another command that I’d like to show you, that’s actually not a variation of the
chage command this time, but it’ll allow you to lock a user completely to where they won’t be able to log in.
sudo passwd -l trinity
passwd command was covered earlier in the series, and you also saw me use it earlier in this video to set a password for the three users I created. But you can also use the
passwd command to lock a user as well.
And that’s a good idea in a situation where a user account won’t be used for a while, but you don’t want to remove it just in case the user is needed again in the future.
Be sure to check out the video for even more information on expiring user accounts.