The chage command is used to list the existing password aging policy or to modify the policy. The /etc/shadow file contains nine colon-separated fields, which include both the encrypted password and the password aging policy. The following is the format of the information contained in the /etc/shadow file:
name : password : lastchange : minage : maxage : warning : inactive : expire : blank
The following table lists the /etc/shadow file fields and their descriptions:
Field |
Description |
Login name |
It is the user account login name on the local system. |
Password |
It is an encrypted password. If this field contains the ! symbol, then it means the password is locked. |
Lastchange |
It is the date of the last password change, represented by the number of days since 01.01.1970. |
Minimum age |
It is the minimum number of days before which a password cannot be changed.0 in this field means no minimum day requirement. |
Maximum age |
It is the maximum number of days after which the password must be changed. |
Warning Period |
It is the number of days before password expiry, when the user starts getting a warning to change his password.0 in this field means no warning would be given. |
Inactive |
It is the number of days an account remains active after a password has expired. A user can still log in during this inactive period and change his password. After the specified number of days, the account will get locked and become inactive. |
Expiry date |
It is the account expiration date, represented as the number of days since 01.01.1970. |
Blank |
A blank field reserved for future use. |
By default, passwords are set to not expire. Forcing passwords to expire is part of a strong security policy. We can modify the default expiration settings by making changes in the /etc/login.defs file. We can change the password aging policy using the chage command. The syntax of the chage command is given follows:
$ chage [option] <username>
An example of the chage command to list all existing password aging policy parameters for a user is shown in the following screenshot:
The following table lists the various options that are used with the chage command and their descriptions:
Option |
Description |
Chage -l <username> |
Lists all the user's current aging parameter settings |
Chage -d 0 <username> |
Forces password change on next login |
Chage -m 3 <username> |
Sets the minimum number of days a user can keep a password |
Chage -M 30 <username> |
Sets the maximum number of days a user can keep a password (-1 here means unlimited) |
Chage -W 7 <username> |
Sets the number of days at which the user starts getting warnings before a password change |
Chage -d YYY-MM-DD <username> |
Sets the last change date for a password (the /etc/shadow file stores the number of days starting from 1 Jan 1970) |
Chage -E YYYY-MM-DD <username> |
Sets the password expiration date for the user (the /etc/shadow file stores the number of days starting from 1 Jan 1970) |
An example of the chage command to modify various parameters is shown in the following screenshot: