32.2.4. Password Aging
For security reasons, it is advisable to require users to change their passwords periodically. This can be done when adding or editing a user on the Password Info tab of the User Manager.
To configure password expiration for a user from a shell prompt, use the
chage
command, followed by an option from Table 32.3, “chage
Command Line Options”, followed by the username of the user.
Important
Shadow passwords must be enabled to use the
chage
command.
Option | Description |
---|---|
-m <days> | Specifies the minimum number of days between which the user must change passwords. If the value is 0, the password does not expire. |
-M <days> | Specifies the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the -d option is less than the current day, the user must change passwords before using the account. |
-d <days> | Specifies the number of days since January 1, 1970 the password was changed |
-I <days> | Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires. |
-E <date> | Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used. |
-W <days> | Specifies the number of days before the password expiration date to warn the user. |
Note
If the
chage
command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed.
You can configure a password to expire the first time a user logs in. This forces users to change passwords the first time they log in.
Note
This process will not work if the user logs in using the SSH protocol.
- Lock the user password — If the user does not exist, use the
useradd
command to create the user account, but do not give it a password so that it remains locked.If the password is already enabled, lock it with the command:usermod -L username
- Force immediate password expiration — Type the following command:
chage -d 0 username
This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place. - Unlock the account — There are two common approaches to this step. The administrator can assign an initial password or assign a null password.
Warning
Do not use thepasswd
command to set the password as it disables the immediate password expiration just configured.To assign an initial password, use the following steps:- Start the command line Python interpreter with the
python
command. It displays the following:Python 2.4.3 (#1, Jul 21 2006, 08:46:09) [GCC 4.1.1 20060718 (Red Hat 4.1.1-9)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>>
- At the prompt, type the following commands. Replace <password> with the password to encrypt and <salt> with a random combination of at least 2 of the following: any alphanumeric character, the slash (/) character or a dot (.):
import crypt; print crypt.crypt("<password>","<salt>")
The output is the encrypted password, similar to'12CsGd8FRcMSM'
. - Press Ctrl-D to exit the Python interpreter.
- At the shell, enter the following command (replacing <encrypted-password> with the encrypted output of the Python interpreter):
usermod -p "<encrypted-password>" <username>
Alternatively, you can assign a null password instead of an initial password. To do this, use the following command:usermod -p "" username
Warning
Using a null password, while convenient, is a highly unsecure practice, as any third party can log in first an access the system using the unsecure username. Always make sure that the user is ready to log in before unlocking an account with a null password.In either case, upon initial log in, the user is prompted for a new password.