expiry

expiry [-f|-c] [username...]

-c
    Check if any password(s) are expired. Sets exit status 0 if none expired, 1 otherwise. Produces no output.

-f
    Display only the date(s) when password(s) will expire. Performs no expiration check.

The expiry command analyzes password aging information from /etc/shadow for specified user accounts or the current user if none are provided. It displays key details including the date the password was last changed, the upcoming expiration date (calculated as last change plus maximum age), and remaining days until expiry.

Without options, it provides a summary for each user. The -f option limits output to expiration dates only, useful for scripting. The -c option silently checks for expired passwords, returning exit status 0 if none expired or 1 otherwise—no output is produced.

This utility enforces password policies by helping administrators identify overdue changes, ensuring compliance with security standards. It depends on shadow password fields like DATE_LAST_CHANGED, MAX_CHANGE_DAYS, and INACTIVE_DAYS. Privileged access is required to read /etc/shadow; regular users can only inspect their own entries.

Requires read access to /etc/shadow (root or shadow group).
Non-privileged users limited to own account.
Assumes valid shadow file; ignores accounts without aging data.

For each username: last change date, expiry date, days remaining.
Uses current user if no arguments given.

0: No expirations found.
1: At least one password expired.

Developed as part of shadow-utils by Julianne Frances Haugh in 1992 to support secure password aging, replacing flat /etc/passwd storage.

chage(1), passwd(1), chfn(1), chsh(1), shadow(5)