Overview of password policies
By the end of this article you should be able to answer the following questions:
Announcement
You can find all my latest posts on medium.$ passwd donald
$ passwd -l donald
# or
$ usermod -L donald
$ passwd -u donald
# or
$ usermod -U donald
/etc/shadow
$ man 5 shadow # first do: ‘whatis shadow’ to locate this man page
chage
$ man chage
$ chage -l donald
/etc/login.defs
$ chage -M 90 donald
$ chage -W 5 donald
$ chage -E 2016-05-25 donald
$ date -d “+100days” +%F # outputs date in format: YYYY-MM-DD
$ chage -I 10 donald
There are lots of settings associated to a user account’s password. The passwd and chage are the 2 main commands for viewing/managing password. let’s first take a look at the passwd command:
$ passwd --help
Usage: passwd [OPTION...]
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only)
-l, --lock lock the password for the named account (root only)
-u, --unlock unlock the password for the named account (root only)
-e, --expire expire the password for the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minium password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration (root
only)
-i, --inactive=DAYS number of days after password expiration when an account becomes
disabled (root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)
Help options:
-?, --help Show this help message
--usage Display brief usage message
Here’s some examples of how this command is used:
$ passwd {username} # This changes the password for a given user
$ passwd -l {username} # this (l)ocks a user’s account
$ passwd -u {username} # this (u)nlocks a user’s account
Also you can lock/unlock as user’s account using the usermod command.
Configuring password policies
Most of the password policies are configured using the chage command:
$ chage --help
Usage: chage [options] LOGIN
Options:
-d, --lastday LAST_DAY set date of last password change to LAST_DAY
-E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-h, --help display this help message and exit
-I, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-l, --list show account aging information
-m, --mindays MIN_DAYS set minimum number of days before password
change to MIN_DAYS
-M, --maxdays MAX_DAYS set maximim number of days before password
change to MAX_DAYS
-R, --root CHROOT_DIR directory to chroot into
-W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS
The chage command essentially makes changes to the /etc/shadow file. So to learn more about the above options, you should check out the shadow’s man page:
$ man 5 shadow # also checkout: $ man chage
Bot of these locations have really useful info.
Based on the above info, to view a a user’s password policies, for example for a user accound called “donald” we do:
$ chage -l donald Last password change : Oct 24, 2015 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Here you’ll see some default values e.g. “99999”. These default values can be changed by editing the /etc/login.defs file.
By default, a user account doesn’t expire. However you can set it to expire after a specific period of time using the chage command. For example if you want donald’s user account’s password to expire after a (M)ax age of 90 days, then you run:
$ chage -M 90 donald
This will mean that the user, donald, cannot use the same password for more than 90 days, and he will need to change his password in less then 90 days.
Now let’s check that this command has worked:
$ chage -l donald Last password change : Oct 24, 2015 Password expires : Jan 22, 2016 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
If you want give the donald user 5 days warning before the passoword max_day_age is reached, then run:
$ chage -W 5 donald
Now let’s check that this has worked:
$ chage -l donald Last password change : Oct 24, 2015 Password expires : Jan 22, 2016 Password inactive : never Account expires : May 25, 2016 Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 5
Straight after a user has changed his password, you might want prevent the user changing the password again straightaway, and instead let a few days pass before doing this. E.g. to prevent donald from change the password within 3 days of the last password change, you do:
$ chage -m 3 donald
Let’s check that this has worked:
$ chage -l donald Last password change : Oct 24, 2015 Password expires : Jan 22, 2016 Password inactive : never Account expires : May 25, 2016 Minimum number of days between password change : 3 Maximum number of days between password change : 90 Number of days of warning before password expires : 5
If you want to set an expiration date of “2016-05-25” for the donald user’s account, then run:
$ chage -E 2016-05-25 donald
This is useful for temporary employees who finishes their contract at a fixed date in the future. Let’s check this has worked:
$ chage -l donald Last password change : Oct 24, 2015 Password expires : Jan 22, 2016 Password inactive : never Account expires : May 25, 2016 Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
The account doesn’t actually get deleted. It just means that the account’s password expires which effectively means that the user get’s locked out of his account.
However let’s say you want to set the Expiry date on 100 days from today. This can be a little tricky to figure out because you can only specify a date with the “-E” option. Luckily you can use the date command to work out what the date will be 100 days from now, like this:
$ date -d "+100days" +%F 2015-11-17
If donald no longer plans to use the machine, and in fact forget’s that the machine exists in the first place, then you want a way to lock their account after a period of inactivity. The most logical way to determining this is the period of time that has passed after an account’s password’s –maxdays age has been reached. This period is referred to as the “inactive” period. If you want to set the inactive period for 10 days for the donald user, you do:
$ chage -I 10 donald
Now let’s check that this has worked:
$ chage -l donald Last password change : Oct 24, 2015 Password expires : Jan 22, 2016 Password inactive : Feb 01, 2016 Account expires : May 25, 2016 Minimum number of days between password change : 3 Maximum number of days between password change : 90 Number of days of warning before password expires : 5
This means that as soon as the donald user’s password reaches 90 days of age, then donald has 10 days left log into the machine (he will automatically be prompted to change password at login time), if they still don’t login during those 10 days then the account becomes locked.
The difference between account expiration and password expiration
There is a difference between account expiration and password expiration. When you set “–maxdays” you are effectively setting a password exipiration date. However the user can change their password at any point between the “–minday” and “–inactive” periods to keep their account active. But if the account passes the “Account expiration” date (which is set by the -E option) or the Inactive period, then the account becomes locked and only the root user can unlock the account again.