FreeBSD: Password expiry / aging policy

For security reason you must enable Password expiry policy on FreeBSD box. Linux comes with chage command, which changes the number of days between password changes and the date of the last password change.

FreeBSD pw command

Use pw command to setup password expiry date for existing user account. Syntax is as follows:
pw user mod USERNAME -p DD-MMM-YY

Where,

  • -p DD-MMM-YY: Set the account’s password expiration date.

For example, expire user rocky’s password on 31-Mar-2006:
# pw user mod USERNAME -p 31-mar-06
Use pw command to setup password expiry while creating new user account.
pw user add USERNAME -p DATE -e DAYS:
Where,

  • -p DAYS: Set default account expiration period in days
  • -e DAYS: Set the account’s expiration date.

For example create a user called didi and Set the default password expiration to 30 days.
# pw user add didi -p 30 -d /home/didi -m
# passwd didi

This is good if you have small number of users. For large installation base (such as University computers) you need to define user login class. With login class you can control the following :

  • Resource limits
  • Accounting limits
  • Authentication limits
  • Default user environment settings.
🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
2 comments… add one
  • 🐧 nixCraft Nov 21, 2007 @ 14:44

    andrei,

    Thanks for the heads up. The post has been updated.

  • andrei manescu Nov 21, 2007 @ 13:55

    I think you got it wrong:
    * -p DAYS: Set default account expiration period in days
    * -e DAYS: Set default password expiration period in days

    Man pw disagrees 🙂
    -p date Set the account’s password expiration date. This field is
    similar to the account expiration date option, except that
    it applies to forced password changes. This is set in the
    same manner as the -e option.

    -e date Set the account’s expiration date. Format of the date is
    either a UNIX time in decimal, or a date in `dd-mmm-yy[yy]’
    format, where dd is the day, mmm is the month, either in
    numeric or alphabetic format (‘Jan’, ‘Feb’, etc) and year

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.