1. Overview
System administrators rely on the chage command to display and modify the password aging information for a user account. For example, we can use this command to ensure that system users update their passwords regularly.
In this tutorial, we’ll learn about the chage command by providing examples to demonstrate its use.
2. Understanding chage
chage stands for change age and it follows a simple syntax:
$ chage [options] [username]Let’s discuss the syntax:
- [options] – specifies which field in the password aging information we want to modify
- [username] – represents the user account
Now, let’s explore some of its most common options.
2.1. Using the -l Option
We need the -l option to view the current password aging information for a specified user:
$ sudo chage -l francis
Last password change : May 19, 2024
Password expires : never
Password inactive : never
Account expires : Aug 01, 2024
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Now, let’s discuss these fields and the options needed to modify them. To clarify, we cannot modify the field Last password change directly using the chage command. This field automatically updates when the password is changed using the passwd command.
2.2. Using the -M option
The -M option modifies the Password expires field as well as the Maximum number of days between password change field.
So, the Password expires field specifies when the password for the user francis will expire. Meanwhile, the Maximum number of days between password change field represents the maximum number of days the user francis can use the same password before they’re required to change it:
$ sudo chage -M 60 francisThe command above sets the value of the Maximum number of days between password change field to 60 days. Additionally, the value of the Password expires field is set as the date of the Last password change plus the number of days specified with the -M option:
$ sudo chage -l francis
Last password change : May 19, 2024
Password expires : Jul 18, 2024
...Above, Password Expires is set to Jul 18, 2024, which is 60 days from May 19, 2024.
2.3. Using the -I Option
The -I option modifies the Password inactive field. So, this field specifies the number of days a user can access their account after the password expires, before the account is locked:
$ sudo chage -I 10 francisThe above command sets the value of the Password inactive field to the date defined in Password expires plus 10 days specified with the -I option:
$ sudo chage -l francis
...
Password expires : Jul 18, 2024
Password inactive : Jul 28, 2024
...
Here, the value of the Password inactive field updates to Jul 28, 2024, which is 10 days from the Password Expires Jul 18, 2024. After this date, the account is locked, and the user needs to contact the system administrator before being able to use the system again. Additionally, we can use -1 instead of 10 to set Password inactive to never, indicating that the password never becomes inactive.
2.4. Using the -E Option
We use the -E option to update the Account expires field. To explain, this field declares an expiration date for a user account:
$ sudo chage -E 2024-09-01 francisAbove, Account Expires updates to Sep 01, 2024. In particular, we need to specify the account expiration date in the format YYYY-MM-DD:
$ sudo chage -l francis
...
Account expires : Sep 01, 2024
...
After Sep 01, 2024, the account for francis expires. As a result, the system locks this account ensuring the user can’t log in. This option is useful for setting up temporary accounts on our system.
2.5. Using the -m Option
The -m option modifies Minimum number of days between password change field. So, this field represents how often a user can change their password:
$ sudo chage -m 1 francisAbove, we update Minimum number of days between password change from 0 to 1. This specifies that the user francis needs to wait one day after changing their password before they can change it again.
2.6. Using the -W Option
The -W option enables us to modify the Number of days of warning before password expires field. This field defines when the user will begin getting warnings before their password expires:
$ sudo chage -W 6 francisAbove, we change Number of days of warning before password expires from 7 to 6. This ensures that the user francis will start receiving warnings 6 days before the password expires.
2.7. Combining the Options
Let’s combine the above options in a single chage command:
$ sudo chage -M 60 -I 10 -E 2024-09-01 -m 1 -W 6 francisThis command updates multiple fields at once in the password aging information for the user francis. This ensures that the modifications are consistent and efficient.
3. Conclusion
In this article, we explored how the chage command is crucial for managing password policies for users.
The various options that chage provides offer flexibility to maintain a secure Linux system. For example, system administrators can use them to ensure users regularly update their passwords and get warnings to notify them of upcoming expirations.