Linux Users and Groups

Shell Scripting

Bash Shell Scripting Tutorial

Linux chage command

The full form of chage is Change Age. If you want to change user's password-related information like password expiry date, account expiry date, a minimum number of days a password cannot be changed, etc. then use chage command.

The root user can execute this command to change any user's password information. A user can get and modify his own password related information, if he tries to modify other user aging information, he will get permission denied error. This command is very useful for system administrators who deal with password policy in their organization. chage command modifies /etc/shadow file based on the options that we pass to it while running.

By default, all Linux distributions come pre-installed with this command, in case your distribution does not have it then run the below command to install it-

#apt-get install chage

Syntax of Linux chage command

#chage [options] username

It is necessary to provide a username to this command to get password aging information of that user.

Command line options of Linux chage command

Options	Description
-l (small letter L)	Use to display account aging information
-m	This option sets the minimum number of days that must pass before a password can be changed. It modifies the fourth field of /etc/shadow file of the specified user. If you supply zero to this option which means a user can change his/her password at any time.
-M	This option sets the maximum number of days a password is valid. It modifies the fifth field of /etc/shadow file of the specified user.
-W	This option is used to set the number of days before password expiration a user is warned. It modifies the sixth field of /etc/shadow file of the specified user.
-I (capital I)	This option sets the number of inactive days after the password expires before the account will be disabled.It modifies the seventh field of /etc/shadow file of the specified user. If you supply -1(minus one) to this option which means an account will not be locked even after the password expires.
-E	This option sets the account expiry date of a user. You must supply a value of the format YYYY-MM-DD to this option. It modifies the eighth field of /etc/shadow file of the specified user. If you supply -1(minus one) to this option which means an account will never expire.

How to list password-related information of a user?

Use -l option to display password-related information. Here, we are checking this for user madhav.

#chage -l madhav
Last password change                                    : Nov 12, 2017
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

If user madhav tries to view the same information for user raghav, then he will get permission denied error message.

#chage -l raghav
chage: permission denied

How to set Password Expiry date for a user?

Use -M option to specify password expiry date. Suppose, we want to expire the password 20 days from the last password change for user madhav then run the below command-

#date
Thu Dec 28 09:42:41 UTC 2017

#passwd madhav
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

#chage -l madhav
Last password change                                    : Dec 28, 2017
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

#chage -M 20 madhav
Last password change                                    : Dec 28, 2017
Password expires                                        : Jan 17, 2018
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 20
Number of days of warning before password expires       : 7

How to set warning message of password expiration?

By default, the number of days before password expiration a user is warned is set to 7. But you can change it using -W option. So, when a user madhav logs in prior to 7 days of expiry i.e. on 10th Jan, 2018, he will get a warning message on his terminal.

# ssh madhav@myserver
madhav@myserver's password: 
Warning: your password will expire in 7 days

Suppose, we want to display warning message 4 days before password expiration, then run the below command:-

#chage -M 4 madhav
#chage -l madhav
Last password change                                    : Dec 28, 2017
Password expires                                        : Jan 17, 2018
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 20
Number of days of warning before password expires       : 4

How to lock user account after X number of inactive days have passed?

When a password expires, user has to change his password during next login. Suppose if a user has never login for 5 days after password expiration, you want to lock that user account, then use -I option. Run the below command-

#chage -I 5 madhav
#chage -l madhav
Last password change                                    : Dec 28, 2017
Password expires                                        : Jan 17, 2018
Password inactive                                       : Jan 22, 2018
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 20
Number of days of warning before password expires       : 4

How to set account expiry date of a user?

Suppose, you want to expire an account of user madhav on 1st Feb 2018, then use -E option.

#chage -E "2018-02-01" madhav
#chage -l madhav
Last password change                                    : Dec 28, 2017
Password expires                                        : Jan 17, 2018
Password inactive                                       : Jan 22, 2018
Account expires                                         : Feb 01, 2018
Minimum number of days between password change          : 0
Maximum number of days between password change          : 20
Number of days of warning before password expires       : 4

How to disable password aging of a user?

To disable password aging of a user, you have to provide following values to the command line options of chage command-

Options	Value
-E -1	It means an account will never expire.
-I -1	It means an account will not be disabled even after password expires.
-m 0	It means password can be changed at any time.
-M 99999	It means the password is valid for 99999 days from the last password changed date.

#chage -E -1 -I -1 -m 0 -M 99999 madhav
#chage -l madhav
Last password change                                    : Dec 28, 2017
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

How to force user to change the password on next login?

You can provide 0 value to -d option of chage command. This will force user to change the password on next login.

#chage -d 0 madhav