Home / server / Questions / 7873
Accepted
anonymous coward
Asked: 2009-05-14 09:10:57 +0800 CST

Set up Linux user password expiration

  • 772

How do I set up password expiration policies for user accounts in Linux? Is it vastly different on each distribution?

In particular I use some Debian/Ubuntu servers, but links to appropriate info for other distros is obviously welcome.

[couldn't find a duplicate Q, but let me know]

linux password

2 Answers

  1. Best Answer

    I posted slightly quickly, it looks like both passwd and chage will work for what you would like to accomplish:

    sudo chage [username] will interactively allow you to set things. Otherwise here is the help output of chage and passwd.

    chage --help output: chage --help Usage: chage [options] [LOGIN]

    Options:
  -d, --lastday LAST_DAY        set last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

    Output from command passwd --help - 

    passwd --help
Usage: passwd [options] [LOGIN]

Options:
  -a, --all                     report password status on all accounts
  -d, --delete                  delete the password for the named account
  -e, --expire                  force expire the password for the named account
  -h, --help                    display this help message and exit
  -k, --keep-tokens             change password only if expired
  -i, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --lock                    lock the named account
  -n, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -q, --quiet                   quiet mode
  -r, --repository REPOSITORY   change password in REPOSITORY repository
  -S, --status                  report password status on the named account
  -u, --unlock                  unlock the named account
  -w, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
  -x, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
    • 5

  2. You can set up expiration policies in /etc/login.defs - specifically PASS_MAX_DAYS=, PASS_MIN_DAYS= and PASS_WARN_AGE=

    Also you need to edit /etc/default/useradd - INACTIVE= and EXPIRE=

    It's not exactly the same situation, but there is more info here: Expiring Inactive User Accounts

    • 4