Skip to main content
RH124

Password Ageing

By December 18, 2019September 12th, 2022No Comments

RHCSA 8 Study Guide

In this blog we dice into Linux Password ageing and disabling Linux logins. Useful both for your real life Linux administration and exam objectives for many certification including the Red Hat RHCSA. We can use the passwd command to manage password ageing but the most specific command for this is chage. Users can list their own password ageing information:

$ chage -l tux
Last password change      : never
Password expires       : never
Password inactive      : never
Account expires       : never
Minimum number of days between password change  : 0
Maximum number of days between password change  : 99999
Number of days of warning before password expires : 7

This is the same information that we saw from the /etc/shadow file. The for user can list any account information as well as configuring ageing. We can expire an account using the -E option, using 1 as the date will lock the account from 1 day after the Linux epoch of 1/1/1970:

$ sudo chage -E 1 user1
$ sudo chage -l user1
Last password change      : Nov 04, 2019
Password expires       : never
Password inactive      : never
Account expires       : Jan 02, 1970
Minimum number of days between password change  : 0
Maximum number of days between password change  : 99999
Number of days of warning before password expires : 7
$ sudo getent shadow user1
user1:$6$tbZIk.tJoL/$9GXYjNTYT5TTIEC8OVyRWv5X1kyM3IIjQ3SZqec14rXRhHkBcwaTppvq2HTF4Od.mfWSp/Pdx37PTwZKaVo7f1:18204:0:99999:7::1:

The user cannot login as the account has expired:

$ ssh user1@192.168.56.200
Warning: Permanently added '192.168.56.200' (ECDSA) to the list of knownhosts.
user1@192.168.56.200's password: 
Your account has expired; please contact your system administrator
Connection closed by 192.168.56.200 port 22

We can reverse the change by clearing the field:

$ sudo chage -E "" user1

The user can now log in, the failed logins will have been logged. The help documentation, chage –help is useful as a summary. More details help can be obtained from man chage.

If a user is going to be away from work and not requiring a login for a little time, we may choose to protect the account by locking the account.

To lock an account, preventing password based authentication we can lock the account password:

$ sudo passwd -l user1 
Locking password for user user1.
passwd: Success

To view the status of an account:

$ sudo passwd -S user1
user1 LK 2019-11-04 0 99999 7 -1 (Password locked.)

To unlock the user1 account:

$ sudo passwd -u user1 
Unlocking password for user user1.
passwd: Success

Locking the password prevents the use of the password for authentication, it is a valid password ageing mechanism but it does not prevent other authentication methods:

$ sudo passwd -l user1

Then password based authentication is disabled. Using SSH Keys or Kerberos as an authentication mechanism then we can still login in as that account. Expiring the user account is a better option as all authentication is prevented to that expired account:

As an alternative to expiring the user account, we can disable the password stopping non-interactive logins such as email and ftp. The prevent interactive logins using non-password based authentication we can set and invalid shell:

$ sudo chsh -s /sbin/nologin user1
Changing shell for user1.
chsh: Warning: "/sbin/nologin" is not listed in /etc/shells.
Shell changed.
Online Instructor Led Training