expiry

expiry [ -c ] [ -f ] [ -h ] [ -q ]

-c
    Checks for expired passwords and reports accounts that require password changes without forcing any actions.

-f
    Forces password expiration for accounts that have exceeded their validity period or are about to, potentially requiring a password change on next login.

-h
    Displays a brief help message and exits.

-q
    Runs in quiet mode, suppressing most standard output messages, making it suitable for cron jobs.

The expiry command is a utility found within the shadow-utils package, designed to manage and enforce password expiration policies on Linux systems. It scans through the system's user accounts, primarily consulting the password aging information stored in the /etc/shadow file for each user. Its main purpose is to identify accounts where the password has expired or is about to expire.

Depending on its invocation (with or without options), expiry can force users to change their passwords upon their next login, lock accounts that have critically overdue password changes, or simply report on the status of user passwords. System administrators commonly schedule expiry to run periodically via cron jobs to maintain a strong security posture by ensuring regular password updates and preventing the use of long-stale credentials.

The expiry command requires root privileges to function correctly, as it interacts with sensitive system files like /etc/shadow. Its exact behavior and available options may vary slightly depending on the specific version of the shadow-utils package and the Linux distribution being used. It is often configured to run automatically via a cron job.

expiry relies heavily on two primary configuration files: /etc/shadow, which stores per-user password aging information (like last changed date, minimum/maximum days between changes, and warning days), and /etc/login.defs, which defines system-wide default values for password policies (e.g., PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE).

Regular use of expiry is fundamental for maintaining strong system security. By enforcing timely password changes, it mitigates the risk of compromised or brute-forced passwords remaining active indefinitely, thereby reducing potential attack vectors and improving overall system resilience against unauthorized access.

The expiry command is an integral part of the shadow-utils suite, which was developed to enhance the security of Unix-like systems by separating user passwords from the publicly readable /etc/passwd file into the secured /etc/shadow file. This separation allowed for more robust password aging policies and stronger password hashes.

expiry evolved as a tool to enforce these policies, ensuring that users regularly update their credentials, a crucial aspect of system security. It has been a standard utility in most Linux distributions for many years, working in conjunction with tools like chage to manage password aging.

chage(1), passwd(1), usermod(8), shadow(5), login.defs(5), cron(8)