LinuxCommandLibrary

chage

Change user password aging information

TLDR

List password information for the user

$ chage [[-l|--list]] [username]
copy

Enable password expiration in 10 days
$ sudo chage [[-M|--maxdays]] [10] [username]
copy

Disable password expiration
$ sudo chage [[-M|--maxdays]] [-1] [username]
copy

Set account expiration date
$ sudo chage [[-E|--expiredate]] [YYYY-MM-DD] [username]
copy

Force user to change password on next log in
$ sudo chage [[-d|--lastday]] [0] [username]
copy

Re-enable an account
$ sudo chage [[-E|--expiredate]] -1 [username]
copy

SYNOPSIS

chage [OPTION]... [USERNAME]

PARAMETERS

-l, --list
    List account aging information for USERNAME

-m, --mindays DAYS
    Minimum days between password changes (0=immediate)

-M, --maxdays DAYS
    Maximum days password remains valid (99999=unlimited)

-d, --lastday LAST_DAY
    Set date of last password change (YYYY-MM-DD or days since 1970)

-I, --inactive INACTIVE
    Days after expiration before account locks (-1=never)

-E, --expiredate EXPIRE_DATE
    Account expiration date (YYYY-MM-DD or days since 1970)

-W, --warndays DAYS
    Days to warn before password expiration (7=default)

-h, --help
    Display help and exit

-V, --version
    Output version information

DESCRIPTION

chage is a command-line utility for changing user password aging information in Linux systems using shadow passwords. It enables system administrators to enforce password policies by setting limits on password validity, such as minimum days between changes (-m), maximum password age (-M), warning period before expiration (-W), inactivity period after expiration (-I), last password change date (-d), and account expiration date (-E). These settings help mitigate security risks from stale or compromised passwords.

Without a username, chage affects the current user; otherwise, it targets the specified user. Most operations require root privileges, as changes are written to the protected /etc/shadow file. The -l option lists current settings in a readable format, aiding policy audits. Password aging promotes regular updates, reducing brute-force attack windows and encouraging strong credentials. It's essential for compliance with standards like PCI-DSS or NIST guidelines.

Values can be numeric days (0 disables) or dates like YYYY-MM-DD. Unspecified fields inherit system defaults from /etc/login.defs.

CAVEATS

Requires root privileges for non-current users. Invalid dates cause errors. Changes affect /etc/shadow fields 3-8 only; 0 disables limits.

SHADOW FILE FIELDS

Modifies: field 3 (last change), 4 (min), 5 (max), 6 (warn), 7 (inactive), 8 (expire). See shadow(5).

DEFAULTS

Inherited from /etc/login.defs (PASS_MIN_DAYS, etc.) if not set.

HISTORY

Developed as part of the Shadow Password Suite by Julianne Frances Haugh starting in 1991. Adopted by major Linux distros (Red Hat, Debian) in mid-1990s with shadow password migration from traditional /etc/passwd.

SEE ALSO

passwd(1), chsh(1), chfn(1), usermod(8), shadow(5), login.defs(5)

Copied to clipboard