Use the Chage Command in Linux
Learn to use the chage command and manage user account passwords in a more controlled manner.
It is not a typo. I'm actually talking about the chage command here!
The chage command is used for monitoring and changing the user password expiry date.
And with this utility, the system administrator may see when a password was changed, alter that date, and even freeze a user account after a certain period.
The possibilities are endless but let me share a few common examples of the chage command.
Find user account aging details in Linux
To know the account aging information, you will have to append the
-l flag and username with the chage command:
chage -l username
And you will get similar output if you are using your system as admin or if it is your personal Linux machine.
Last password changeindicates the date when the password was changed most recently.
Password expiresindicates the date when the password will expire.
Password inactivewill show how many days the account will remain inactive after the password is expired.
Minimum number of days between password changeindicates the minimum day break required between two password changes.
Maximum number of days between password changewill show how many days you are left to change your current password.
Once you know the use of all the fields, you can use the following command to use the chage command in interactive mode and it will ask you each field one by one:
sudo chage username
But what if you want to change them individually? Well, here's how you do it.
Lock user account in Linux
The most common use of the chage command is to lock the users.
To lock a specific user, all you need to do is execute a command in the given command syntax:
sudo -E 0 username
For reference, here, I locked a user account of
sudo -E 0 sagar
As you can see, once I executed the command to lock the account, it won't allow the user to log in.
And in case you are curious about the use of
0 flag, here you have it:
-Eflag is used to set an expiry date of an account
0is the date when the account should expire. So once you execute the command, the account will be locked immediately.
Force user to change password at next login
Want to force a specific user to change his password?
It is quite simple and can be achieved by the following command:
sudo chage --lastday 0 username
And as you can see, when I tried to log in as a
sagar, it forced me to change my password.
Set an account expiry date
If you want to set the date of the account expiry, you will have to use a
-E flag followed by date and username.
For example, here, I have set the account expiry date to 11th Jan 2023:
sudo chage -E 2023-01-11 sagar
Remove the account expiry date as a sysadmin
When your account is expired, the system will throw the error saying "account validation failure, is your account locked?":
So the first step is to gain root access using the su command:
Now, you will have to use the
--expiredate flowing by
-1 and username:
chage --expiredate -1 username
And now you can check the account aging details and it removes the account expiry date:
Specify the maximum number of days between the password change
To configure the maximum number of days between the password change, you will have to append the number of days to the
sudo chage -M No_of_days username
For example, here, I went with 5 days of gap between the password change:
sudo chage -M 5 sagar
Set account inactivity time after password expiry
The account inactivity field indicates how many days the account will remain inactive after the password is expired.
To set the account inactivity time, you will have to append the time (in days) and username to the
sudo chage -I No_of_days username
For example, here, I have configured my account inactivity period to 12 days:
sudo chage -I 12 sagar
Here, my password is expiring on 15th Jan 2023, so when I added 12 days of inactivity, it reflected 27th Jan 2023 in the password inactive field.
Notify the user before changing a password is necessary
You can set the number of days of warnings before the password is expired using the
sudo chage -W No_of_days username
For example, if I want to give warnings before 2 days of password expiry, I will be using the following command:
sudo chage -W 2 sagar
In the end...
Did you mess up while configuring password aging with the chage command?
Execute the chage command with username only and it gets you in the interactive mode of the chage command enabling you to change every detail:
sudo chage username
If you have any queries related to what I explained in this guide, feel free to ask in the comments.