The full form of chage is Change Age. If you want to change user's password-related information like password expiry date, account expiry date, a minimum number of days a password cannot be changed, etc. then use chage command.
The root user can execute this command to change any user's password information. A user can get and modify his own password related information, if he tries to modify other user aging information, he will get permission denied error. This command is very useful for system administrators who deal with password policy in their organization. chage command modifies /etc/shadow file based on the options that we pass to it while running.
By default, all Linux distributions come pre-installed with this command, in case your distribution does not have it then run the below command to install it-
#apt-get install chage
#chage [options] username
It is necessary to provide a username to this command to get password aging information of that user.
| Options | Description |
|---|---|
| -l (small letter L) | Use to display account aging information |
| -m | This option sets the minimum number of days that must pass before a password can be changed. It modifies the fourth field of /etc/shadow file of the specified user. If you supply zero to this option which means a user can change his/her password at any time. |
| -M | This option sets the maximum number of days a password is valid. It modifies the fifth field of /etc/shadow file of the specified user. |
| -W | This option is used to set the number of days before password expiration a user is warned. It modifies the sixth field of /etc/shadow file of the specified user. |
| -I (capital I) | This option sets the number of inactive days after the password expires before the account will be disabled.It modifies the seventh field of /etc/shadow file of the specified user. If you supply -1(minus one) to this option which means an account will not be locked even after the password expires. |
| -E | This option sets the account expiry date of a user. You must supply a value of the format YYYY-MM-DD to this option. It modifies the eighth field of /etc/shadow file of the specified user. If you supply -1(minus one) to this option which means an account will never expire. |
Use -l option to display password-related information. Here, we are checking this for user madhav.
#chage -l madhav Last password change : Nov 12, 2017 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
If user madhav tries to view the same information for user raghav, then he will get permission denied error message.
#chage -l raghav chage: permission denied
Use -M option to specify password expiry date. Suppose, we want to expire the password 20 days from the last password change for user madhav then run the below command-
#date Thu Dec 28 09:42:41 UTC 2017 #passwd madhav Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully #chage -l madhav Last password change : Dec 28, 2017 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7 #chage -M 20 madhav Last password change : Dec 28, 2017 Password expires : Jan 17, 2018 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 20 Number of days of warning before password expires : 7
By default, the number of days before password expiration a user is warned is set to 7. But you can change it using -W option. So, when a user madhav logs in prior to 7 days of expiry i.e. on 10th Jan, 2018, he will get a warning message on his terminal.
# ssh [email protected] [email protected]'s password: Warning: your password will expire in 7 days
Suppose, we want to display warning message 4 days before password expiration, then run the below command:-
#chage -M 4 madhav #chage -l madhav Last password change : Dec 28, 2017 Password expires : Jan 17, 2018 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 20 Number of days of warning before password expires : 4
When a password expires, user has to change his password during next login. Suppose if a user has never login for 5 days after password expiration, you want to lock that user account, then use -I option. Run the below command-
#chage -I 5 madhav #chage -l madhav Last password change : Dec 28, 2017 Password expires : Jan 17, 2018 Password inactive : Jan 22, 2018 Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 20 Number of days of warning before password expires : 4
Suppose, you want to expire an account of user madhav on 1st Feb 2018, then use -E option.
#chage -E "2018-02-01" madhav #chage -l madhav Last password change : Dec 28, 2017 Password expires : Jan 17, 2018 Password inactive : Jan 22, 2018 Account expires : Feb 01, 2018 Minimum number of days between password change : 0 Maximum number of days between password change : 20 Number of days of warning before password expires : 4
To disable password aging of a user, you have to provide following values to the command line options of chage command-
| Options | Value |
|---|---|
| -E -1 | It means an account will never expire. |
| -I -1 | It means an account will not be disabled even after password expires. |
| -m 0 | It means password can be changed at any time. |
| -M 99999 | It means the password is valid for 99999 days from the last password changed date. |
#chage -E -1 -I -1 -m 0 -M 99999 madhav #chage -l madhav Last password change : Dec 28, 2017 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
You can provide 0 value to -d option of chage command. This will force user to change the password on next login.
#chage -d 0 madhav
