Monday, 26 August 2013

Ubuntu Password Expiration Policy

Suppose we want to enforce a password expiration policy in our Ubuntu Linux system, so that users have to change their passwords every 45 days. By default no password expiration policy is in place in Ubuntu, so user account’s password never expires. We can view the policy using chage command:

e.g. We are checking password expiration policy for the user admino
# chage -l admino

-l : show account aging information


I want to change the password expiration to 45 days so that the user is forced to change password every 45 days.

# chage -M 45 admino

-M MAX_DAYS  : set maximim number of days before password                         change to MAX_DAYS

After modifying the password expiration for the user admino, lets examine the aging information:


We can see that the policy has been enforced to the user’s account.

The /etc/shadow file contains user's password aging information. We may edit this file also to change the password policy.


Suppose we have a user test, and we want to set the number of days of warning before a password change is required to 10 days.


We can edit the /etc/shadow file and change the password warning period field for the test user to 10.


Now lets see the password aging information again:


We can see the change Smile.

The above things are can be done for existing users. But if we want deploy a default password expiration policy for all the new users that will be created in future. In that case we can edit the /etc/login.defs file and change the required parameters.

Say we want to deploy default maximum password expiration of 30 days and password expiration warning of 10 days when a new user is created.

open /etc/login.defs and edit the PASS_MAX_DAYS and PASS_WARN_AGE variables.