Account aging information can be set for each individual user using the chage command. You force a user to change their password on next login, and set password and account expiration and inactive time periods as well. You finish up by clearing all password aging information in one command.
- [Instructor] In another video of this course, we saw how to change global user account settings by editing the /etsy/login.dest file. This only affects new users created after the change. If we need to change existing user accounts, we have to use various other commands. You could edit the /etsy/shadow file for most of these settings but it's not recommended as it's easy to misconfigure a user this way. The main command we'll use to change user account settings is chage or change age.
Chage is used to change password and account aging information for users. Chage -d changes the number of days since January 1st 1970 when the password was last changed. Setting this to 0 means a password hasn't been changed and forces the password change on next login. Dash capital E sets the date that the user's account will expire. Dash capital I sets the number of days of inactivity after password expiration before the account is automatically locked.
Dash lowercase M sets the minimum number of days before a password changes. Setting this to 0 allows users to change their password at any time. Dash capital M is the maximum number of days during which a password is valid. Dash capital W is the number of days of warning before a password change is required. And lastly, dash L lists account aging information. This is the only command option that can be run by any user.
So let's go to the terminal now and modify some account aging information. Now let's get the account information by first typing in cat space /etc/passwd. Now I only have one account with a user ID of 1000 or higher which means a regular user account. My username is Grant. Let's get the account aging information for this user. Chage space dash L space username which in my case is Grant.
Here we can see a listing of this account's aging information. If I want to force a user to enter their password at the next login, we can use the password command to expire their account. Type in sudo space passwd space dash dash expire space and then the user account name, in my case, Grant. Type in your password again and hit enter. Another way to expire a password is using the chage command. Type in sudo space chage space dash D space 0 space and then the user account which in my case is Grant and hit enter.
We can verify this by typing in chage space dash L space and then the username and hitting enter. You'll notice that my password must be changed. So before we go any further, I'm going to go ahead and log out by clicking on my top right-hand menu, click on my name, and then clicking on log out. Then I'll click on log out again. I'm going to try to login normally with my old password. And you'll see that it's going to prompt me to change my password. I need to type in my old password again and then I'll type in my new password which I am setting right here.
Type it in a second time and hit enter. Once I'm logged in, I'll open up another terminal by going to applications, favorites, terminal. Make it full screen and bump my font size. I'm going to verify my aging information by typing in chage space dash L space and then my username which is Grant. You can see that now my last password change was January 16th 2017. You may also notice that we have both account expiration and password expiration dates.
When the password expires, the user needs to reset their password. The user may still be able to login using SSH keys but when the account expires, it can no longer be logged in at all. Password expiration is to create a moving target for hackers. If users have to change their password every so often it makes it harder to exploit. Account expiration is to close accounts. First I'm going to change the account expiration date for the user. Let's type in sudo space chage space dash capital E space and then I'm going to put a date in there of 2017 dash 11 dash 10 space and then my username which is Grant and hit enter.
I'll need to type in my new password again for sudo. Chage space dash L space and my username which is Grant. We can now see that the account expires on November 10th 2017. Now I'm going to change the password expiration to 90 days using the dash capital M option. Type in sudo space chage dash capital M 90 space and then the username which in my case is Grant. And verify by typing in chage space dash L space username enter.
Note that this changes the password expiration date and the maximum number of days between password changes. Typically if the password is expired, users are forced to change it during the next login. You can configure it so that when a user doesn't log in for a specific amount of time, after a password is expired, the account will be automatically locked. To change the number of days the account can be inactive before it's locked to 10 we'll use the dash capital I option. Type in sudo space chage dash capital I space 10 space and then the username.
Hit enter. We'll verify this by typing in chage space dash L space the username. Now that we've done all of this, we may want to disable all password aging. To do so, type in sudo space chage space dash capital I space negative 1 space dash lowercase M space 0 space dash capital M space 99,999 space dash capital E space negative 1 space the username which in my case is Grant and hit enter.
The dash I negative 1 will set the password inactive to never. The dash M0 will set the minimum number of days between password changes to 0 so the user can change their password at any time. The dash capital M 99,999 will set the maximum number of days between password changes to 99,999 or roughly 274 years. The dash capital E negative 1 will set account expires to never.
This will disable the password expiration of a user. We can verify this by typing in chage space dash L space and the username. And hit enter.
Instructor Grant McWilliams covers network and internet services administration, kernel management, and intrusion prevention. He shows how to make your systems more efficient with virtualization, manage users and groups, and lock everything down with SELinux mandatory access control. Plus, get access to 25 PDF "cheat sheets" and 100 practice questions so you can solidify and test your knowledge.
- Installing Linux on a physical machine
- Managing systemd services
- Managing reoccurring jobs with cron
- Limiting system access
- Configuring networking
- Creating, editing, and moving files and directories
- Analyzing text with grep and regular expressions
- Installing software and packages
- Managing the kernel
- Managing users, accounts, and groups
- Setting permissions
- Using access control lists
- Securing Linux with SELinux
- Accessing Linux remotely
- Configuring local storage