The chage command is a vital tool for Linux system administrators when managing user accounts, specifically for controlling password expiration and aging policies. As security concerns increase, it’s essential to ensure that users change their passwords regularly and understand when they must do so. The chage command provides administrators with the flexibility to enforce password policies, lock accounts, and define expiration dates, all aimed at boosting system security.
This guide will walk you through the syntax, options, and practical examples of the chage command. Whether you’re new to Linux or an experienced sysadmin, this post will enhance your understanding and usage of the chage command.
What is the Chage Command?
The chage command in Linux is used to change the password expiry information for a user. It enables administrators to set a range of policies for password changes, including defining when a user must change their password, the minimum and maximum time between password changes, and account expiration dates.
In essence, chage helps system administrators manage account security by ensuring passwords are changed regularly, and inactive accounts are locked or expired.
Chage Command Syntax
The syntax for the chage command is simple:
chage [options] LOGIN
Here, LOGIN is the name of the user account whose password expiration information you want to modify. Below, we’ll go through the available options to help you fully understand how to use chage.
Chage Command Options
1. -d, –lastday LAST_DAY
The -d option sets the last day the password was changed, expressed either as the number of days since January 1st, 1970, or in the format YYYY-MM-DD. If you set this to 0, the user will be forced to change their password at their next login.
Example:
chage -d 2023-01-01 user1
In this case, user1‘s password was last changed on January 1, 2023. The system will use this information to calculate the password age.
If you set the date to 0:
chage -d 0 user1
This forces user1 to change their password at the next login.
2. -E, –expiredate EXPIRE_DATE
The -E option allows you to set an account expiration date. This date determines when the user’s account will become inaccessible. The expiration date is set in the same format as LAST_DAY (i.e., either a date or the number of days since January 1st, 1970).
For example, to expire an account in 180 days, you can use the following command:
chage -E $(date -d +180days +%Y-%m-%d) user1
This will automatically set the account user1 to expire in 180 days.
To remove an expiration date, use:
chage -E -1 user1
This command will remove any expiration date, and the account will no longer be set to expire.
3. -h, –help
The -h or --help option displays a help message with the usage details and exits. This option is useful if you need a quick reminder of the available options.
Example:
chage --help
4. -i, –iso8601
The -i option formats the output of chage in the ISO 8601 date format (YYYY-MM-DD), making it easier to read and understand.
Example:
chage -i user1
This will display the password expiration and aging information for user1 in the ISO 8601 format.
5. -I, –inactive INACTIVE
The -I option defines the number of days of inactivity allowed after a password has expired before the user’s account is locked. This can be useful for setting a grace period after password expiration.
Example:
chage -I 7 user1
In this case, if user1 does not change their password within 7 days after it expires, their account will be locked.
To remove the inactivity period, use:
chage -I -1 user1
6. -l, –list
The -l option displays the account aging information for the specified user. This option doesn’t modify anything but shows the current password expiry settings.
Example:
chage -l user1
This command will display the current password aging settings for user1.
7. -m, –mindays MIN_DAYS
The -m option sets the minimum number of days between password changes. This means a user cannot change their password until the specified minimum number of days has passed.
Example:
chage -m 7 user1
In this case, user1 can only change their password after 7 days have passed since the last change.
8. -M, –maxdays MAX_DAYS
The -M option sets the maximum number of days during which a password is valid. Once the maximum days have passed, the user will be required to change their password to continue using their account.
Example:
chage -M 30 user1
Here, user1 will be required to change their password every 30 days. If the password hasn’t been changed within 30 days, they will be forced to change it upon the next login.
To remove the maximum days restriction:
chage -M -1 user1
9. -R, –root CHROOT_DIR
The -R option allows you to apply changes within a chroot environment. It uses the configuration files from the specified CHROOT_DIR directory instead of the system’s usual directories.
Example:
chage -R /chroot_dir user1
10. -W, –warndays WARN_DAYS
The -W option sets the warning period before a password expires. This option determines how many days before the password expiration the user will receive a warning.
Example:
chage -W 7 user1
This command will warn user1 7 days before their password expires.
Chage Command: Configuration Files
The chage command relies on the following configuration files:
- /etc/passwd: Contains basic user account information.
- /etc/shadow: Stores the secure user account information, including password expiry data.
These files are crucial for managing user account settings. If the /etc/shadow file is missing or not configured correctly, the chage command will not function properly.
Exit Values for the Chage Command
The chage command returns the following exit values:
- 0: Success.
- 1: Permission denied.
- 2: Invalid command syntax.
- 15: Shadow password file not found.
Common Use Cases of the Chage Command
1. Set Password Expiration Date
You can easily set an expiration date for a user account using the -E option.
Example:
chage -E 2023-12-31 user1
This will expire user1‘s account on December 31, 2023.
2. Set Maximum Password Age
To force users to change their passwords after a specific period, use the -M option.
Example:
chage -M 90 user1
This will force user1 to change their password every 90 days.
3. Display Account Aging Information
Use the -l option to display the current aging information for any user.
Example:
chage -l user1
FAQ
- What does the
chagecommand do?
Thechagecommand allows you to manage user password expiration, aging, and inactivity settings on a Linux system. - How do I force a user to change their password immediately?
Use the-d 0option to force a user to change their password on the next login. - Can I expire a user account on a specific date?
Yes, you can use the-Eoption to set a specific expiration date for a user’s account. - What does the
-Moption do?
The-Moption sets the maximum number of days during which a password is valid.
- How can I check when a user’s password will expire?
Use the-loption to view a user’s password aging information. - How do I remove an expiration date?
Use-E -1to remove an account expiration date. - Can I apply
chagechanges in a chroot environment?
Yes, you can use the-Roption to apply changes in a chroot directory. - What happens if a password expires?
The user will be forced to change their password before they can log in. - Can I set a warning before a password expires?
Yes, use the-Woption to set the number of days before the password expiration date to warn the user. - Can I allow users to change their password immediately after setting the minimum days?
Yes, setting-m 0allows users to change their password at any time, regardless of the minimum days.
Conclusion
The chage command is a powerful and versatile tool for managing user password aging and account expiration settings in Linux. By using the various options, you can tailor your password policies to meet your system’s security needs. From enforcing regular password changes to locking accounts after inactivity, chage helps administrators keep their systems secure.
For more advanced Linux tutorials and updates, be sure to visit GeekersHub, your go-to resource for all things Linux and system administration.
For additional details and reference, check out the official Linux man page for chage.