chage
Change user password aging information
TLDR
List password information for the user
Enable password expiration in 10 days
Disable password expiration
Set account expiration date
Force user to change password on next log in
Re-enable an account
SYNOPSIS
chage [options] LOGIN
Common options:
chage [-l | -d LAST_DAY | -E EXPIRE_DATE | -I INACTIVE | -m MIN_DAYS | -M MAX_DAYS | -W WARN_DAYS] LOGIN
PARAMETERS
-l, --list
Display the current password aging information for the specified LOGIN. This is often the only option available to non-root users for their own account.
-d, --lastday LAST_DAY
Set the date of the last password change to LAST_DAY. This can be specified as a date in YYYY-MM-DD format or as the number of days since January 1, 1970.
-E, --expiredate EXPIRE_DATE
Set the date when the user's account will expire. After this date, the user will not be able to log in. EXPIRE_DATE can be in YYYY-MM-DD format or as days since epoch. A value of -1 will disable account expiration.
-I, --inactive INACTIVE
Set the number of days after a password expires until the account is locked. If the user does not change their password within the specified INACTIVE days after it expires, the account becomes unusable. A value of -1 disables this feature.
-m, --mindays MIN_DAYS
Set the minimum number of days required between password changes. A user cannot change their password again until MIN_DAYS have passed since the last change. A value of 0 allows immediate password changes.
-M, --maxdays MAX_DAYS
Set the maximum number of days a password remains valid. After MAX_DAYS, the user will be forced to change their password upon next login. A value of -1 disables password expiration.
-W, --warndays WARN_DAYS
Set the number of days before a password expires that a user will receive a warning message upon login. A value of 0 means no warning will be issued.
-h, --help
Display a help message and exit.
-R, --root CHROOT_DIR
Apply changes in the specified chroot directory. This is useful for managing accounts in a different root environment.
DESCRIPTION
The chage command is used by system administrators to alter user password aging information on a Linux system. This includes controlling how often a user must change their password, when their password expires, how many days their account remains active after a password expires, and how many days before expiration a user is warned. By managing these parameters, administrators can enforce security policies that require regular password changes, thereby reducing the risk of unauthorized access due to compromised or stale passwords. It directly modifies entries in the /etc/shadow file. The command is part of the shadow-utils package, which provides tools for managing user accounts and password security.
CAVEATS
Root privileges are generally required to modify another user's password aging information. A regular user can typically only view their own settings using chage -l.
Incorrect use of chage can inadvertently lock users out of their accounts or weaken security by setting lax password policies.
The account expiration date (set with -E) refers to the account itself, not just the password. Once expired, the user cannot log in.
CONFIGURATION FILES
chage primarily interacts with two system files:
/etc/shadow: This file stores encrypted passwords and all password aging information for user accounts. chage directly modifies entries in this file.
/etc/login.defs: This file contains system-wide default values for password aging parameters (e.g., PASS_MAX_DAYS, PASS_MIN_DAYS) that are applied when a new user is created. chage allows administrators to override these defaults for individual users.
HISTORY
The chage command is part of the shadow-utils package, which superseded earlier password management utilities in Unix-like systems. It was developed to enhance security by allowing for shadowed passwords (passwords stored in a file readable only by root, typically /etc/shadow) and comprehensive password aging policies. Its introduction centralized and standardized password aging management, moving away from systems where such policies were less granular or harder to enforce.