Chage Command in Linux

Last updated: March 15, 2022

Password is a critical aspect of Linux security and you need to periodically change your password to ensure the complete safety of your system. This may not come naturally to most of the users and thus the system administrator needs to enforce password change. Linux provides the chage, also known as change age, a command-line utility to check, set, and update the password expiration date.

In this tutorial, we will learn about chage command in Linux to update user password expiry information.

Prerequisites

  • Access to Linux terminal.
  • Root user or sudo privileges to run the commands.
  • Some familiarity with the Linux command-line interface.

Chage Command

The chage command displays and updates the user password expiry information. You can specify the number of days after which the user account password expires. This command helps the system administrator to audit the user accounts.

The chage command can enforce users to periodically update the user password to ensure absolute system safety. You can use this command to set an account expiration date on the user accounts that are required only for a limited time.

Syntax

The syntax of the chage command-line utility is:

chage [options] username

How to Use Chage Command

You can use the chage command with various options to manage password expiration and aging. For example, the chage command can be used to display the account aging information of a user. It can also be used to disable password expiration for a user.

Use the chage command followed the -l or --list option and a user name to display password aging information about a particular user:

chage -l tom
print password aging information

The date needs to be in YYYY-MM-DD format for all the chage command options that accept a date as an input.

The default values for password aging information can be found in /etc/login.defs file. You can change the controls such as PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MIN_LEN, and PASS_WARN_AGE.

linux password age policy

Chage Command Examples

The chage command can be used to set various account aging options. The following examples show you how to set password expiry, account expiry, and other options.

Update Last Password Change Date

When a user changes his/her password, the last password change date changes. You can manually update this date using the -d option.

To set the last password change date to 31 December 2022 for a user named tom:

sudo chage -d 2022-12-31 tom
output of chage -d

You can set the password to expire immediately and the next login user will be forced to change the password by using the value 0 instead of date.

sudo chage -d 0 tom

Set Password Expiry Date

Unless specified while creating a user account, the account count expiry date is set to never by default.

You can configure when a particular user account will expire. This ensures that the user account (could be a temporary account) will expire on the specified date and the account will be unusable. To set or change the account expiration date use -E option.

sudo chage -E 2025-12-31 tom
set password to expire on a date

You can revert back the account expiration date to never by using the value -1 with -E option.

sudo chage -E -1 tom

Set Password Expiry Date Warning

Once you set the password expiry option, the expiry date is updated in the system. As per the “Number of days of warning before password expires” setting, users will get a warning that their password is going to expire on the set date.

You can also change the number of warning days for a particular user:

sudo chage -W 10 tom
set password expire warning

Here the user tom gets a warning message to change his password 10 days before his password expires.

Change Minimum Number of Days

To set a minimum number of days between the password changes, use the -m options.

For example, to set a user to wait for 5 days to change his password again, type:

sudo chage -m 5 tom
minimum number of 5 days between password changes

The value of zero (0) indicates that the user may change password any time.

Maximum days password Valid

The -M option allows you to set a maximum number of days in which the user is allowed to use the password.

To set a maximum of 20 days during which a password is valid, type:

sudo chage -M 20 tom
set maximum number of 20 days password valid for a user

The value -1 for MAX_DAYS will remove checking a password validity.

Set Account Inactivity Period

Use the chage -I command to specify the total number of days in which the account password will be inactive if the expired is not changed. This option is helpful to keep the account inactive if the user does not log in to the account after the password expired and thereafter the account gets locked.

sudo chage -I 10 tom
set user account inactive for a period

Use value -1 to set password inactive days to never.

You can use usermod command to lock and unlock an account.

Disable Account Aging

Now, if you decide the keep any account active forever, you can also use the chage command to disable password and account expiry for a user:

sudo chage -I -1 -m 0 -M 99999 -E -1 tom
disable user account aging

In this example:

  • -I -1 sets password inactive to never.
  • -m 0 sets the minimum number of days between password change to 0 (zero).
  • -M 99999 sets the maximum number of days between password change to 99999.
  • -E -1 sets account expiry to never.

Chage Command Options

The chage command provides the following options to perform different account password expiry and audit-related operations:

OptionDescription
-d LAST_DAYSets when the password was last changed. It can be either in a date format YYYY-MM-DD or the number of days since January 1st, 1970.
-E EXPIRE_DATESets when the password will expire, either in date format or number of days since January 1st, 1970.
-I INACTIVESets the number of days during which the password will be inactive. After the set number of days, the account will be locked. The -I -1 option will disable account inactivity.
-lDisplays currently set aging information for the given user.
-m MIN_DAYSSets the minimum number of days that must pass between two password changes. If you set it to 0 (zero), then the password can be changed at any time.
-M MAX_DAYSSets the maximum validity period of a password in the number of days.
-W WARN_DAYSSets the warning period in the number of days. During this period, a user will be sent warnings that their password is going to expire after the set number of days.

Conclusion

In this tutorial, we learned how to use the chage command and manage password expiry information. These commands will work on most of the commonly used Linux distributions, such as Ubuntu, Debian, Red Hat, Fedora, and CentOS.

SHARE

Comments

Please add comments below to provide the author your ideas, appreciation and feedback.

Leave a Reply

Leave a Comment