Core Management Tool: <span>chage</span> Command
<span>chage</span> (change age) is a command specifically used to modify user password and account expiration information. It provides more granular control than the <span>passwd</span> command.
1. View Current Password Policy
To view the current password expiration settings for a user (for example, user <span>zhangsan</span>), use the <span>-l</span> option:
sudo chage -l zhangsan
Example output:
Last password change : Aug 15, 2024
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Meaning of Each Field:
- • Last password change: The date when the password was last changed.
- • Password expires: The date when the password expires. “never” means it never expires.
- • Password inactive: The grace period after the password expires during which the user can still log in; after this period, the account will be locked. “never” means no limit.
- • Account expires: The absolute date when the account itself expires. “never” means the account never expires.
- • Minimum number of days…: The minimum number of days that must pass between password changes (setting it to 0 means the password can be changed at any time).
- • Maximum number of days…: The maximum number of days the password remains valid (i.e., the password validity period).
- • Number of days of warning…: The number of days before the password expires that the user will start receiving warnings.
2. Set Password Policy (Common Options)
All the following commands require <span>root</span> privileges or use of <span>sudo</span>.
| Option | Meaning | Example and Explanation |
<span>-m days</span> |
Set the minimum password change interval | <span>sudo chage -m 7 zhangsan</span> sets the user to wait 7 days before changing the password again. |
<span>-M days</span> |
Set the maximum password validity period | <span>sudo chage -M 90 zhangsan</span> sets the password to expire after 90 days. This is one of the most important security policies. |
<span>-W days</span> |
Set the expiration warning days | <span>sudo chage -W 7 zhangsan</span> starts reminding the user 7 days before the password expires. |
<span>-I days</span> |
Set the grace period after password expiration | <span>sudo chage -I 5 zhangsan</span> gives the user 5 days to log in and change the password after expiration, after which the account is locked. |
<span>-E date</span> |
Set the account expiration absolute date | <span>sudo chage -E 2024-12-31 zhangsan</span> sets the account to expire at the end of 2024. The date format is YYYY-MM-DD, or use <span>-1</span> to indicate it never expires. |
<span>-d date</span> |
Force set the last password change time | <span>sudo chage -d 2024-08-01 zhangsan</span> is usually used to force the user’s password to expire immediately (<span>-d 0</span>). |
3. Interactive Setting Mode
Using <span>chage</span> without any options will enter interactive mode, where the system will prompt you step by step to enter each parameter, which is very suitable for first-time setups.
sudo chage zhangsan
4. Important Example Scenarios
Scenario 1: Setting Standard Security Policies for New Employees
“Password must be changed every 90 days, cannot be changed again within 7 days after changing, warning starts 7 days before expiration, account is immediately locked after expiration.”
sudo chage -m 7 -M 90 -W 7 -I 0 zhangsan
Scenario 2: Forcing Users to Change Password on Next Login
This is very useful after creating a new user or resetting a user’s password.
# Method 1: Using passwd
sudo passwd --expire zhangsan
# Method 2: Using chage to set the last change date to 1970-1-1 (epoch)
sudo chage -d 0 zhangsan
On the next login, the system will force the user to set a new password.
Scenario 3: Setting a Temporary Account
“Create a temporary intern account, password expires after 30 days, and the entire account automatically becomes invalid after 3 months.”
sudo useradd intern
sudo passwd intern # Set initial password
sudo chage -M 30 -E 2024-11-30 intern
5. Global Default Policy: <span>/etc/login.defs</span>
<span>chage</span> modifies the policy for a single user. The default password policy for new users created by the system comes from the <span>/etc/login.defs</span> file.
You can edit this file to modify the global defaults:
sudo vim /etc/login.defs
Find and modify the following parameters (the file contains detailed comments):
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
Note: Modifying <span>/etc/login.defs</span> only affects newly created users, and will not impact existing users. To modify existing users, you still need to use the <span>chage</span> command.
Summary and Best Practices
| Policy Item | Recommended Value | Security Implication |
Password Validity Period (<span>-M</span>) |
90 or 180 days | Enforces regular password changes, reducing the risk of long-term password cracking. |
Minimum Change Interval (<span>-m</span>) |
1-7 days | Prevents users from frequently reverting to old passwords to bypass history checks. |
Warning Period (<span>-W</span>) |
7 days | Gives users ample time to prepare for password changes. |
Grace Period (<span>-I</span>) |
0 or very short | Immediately locks the account after password expiration, preventing unauthorized access. |
Important Reminders:
- • Overly strict policies (such as very short validity periods) may lead to user fatigue and writing down passwords, requiring a balance between security and usability.
- • For service accounts, it is common to set
<span>chage -M 99999 -I -1 -E -1</span>to make them never expire, managed by automation tools. - • Regularly auditing user password policies using
<span>chage -l</span>is a good security practice.
For example:
chage -M 9999 user
• This command sets the maximum validity period of the specified user's password to 9999 days (about 27 years).
• The -M parameter is followed by the maximum number of days the password remains valid.
• This is a very lenient setting, essentially meaning the password will hardly ever expire.