Linux set default password expiry for all new users

Under Linux password related utilities and config file(s) comes from shadow password suite. The /etc/login.defs file defines the site-specific configuration for this suite. This file is a readable text file, each line of the file describing one configuration parameter. The lines consist of a configuration name and value, separated by whitespace.

You need to set default password expiry using /etc/login.defs file (password aging controls parameters):

  1. PASS_MAX_DAYS : Maximum number of days a password may be used. If the password is older than this, a password change will be forced.
  2. PASS_MIN_DAYS : Minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected
  3. PASS_WARN_AGE : Number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.

Open file /etc/login.defs using text editor:
# vi /etc/login.defs
Setup (sample) values as follows:

Close and save the file.

See also:

Please note that much of the functionality that used to be provided by the shadow password suite is now handled by PAM suite. Next time I will write about PAM configuration.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 9 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
9 comments… add one
  • John Sep 13, 2006 @ 19:12

    Is this for email passwords or system logins like cPanel or SSH?


  • 🐧 nixcraft Sep 13, 2006 @ 20:48


    This is for system password aka ssh login, if your email server using system password then same limit will apply


  • MrKIPS Aug 20, 2009 @ 23:08

    Thank you. I came across this article while searching for information on password expiry. Useful.

  • easwaramoorthi Sep 21, 2010 @ 6:04

    Thanks you
    Its very good,

  • does this apply for Root account ? Oct 8, 2010 @ 12:06

    My aduitor has asked me to change the value for this following 3:
    PASS_MAX_DAYS 99999

    As i have only Root account on the machine and no other account are configured.
    Also, i always took the console of the server. It’s configured in UI.

    Thanks in Advance !!!


  • Zamfir May 26, 2011 @ 11:56


    My question is the following:

    if you have those set in login.defs, can they be overridden by chage command?
    something like:

    chage -W10 -m7 -M42

    which will apply for this user? (/etc/login.defs or /etc/shadow – because chage modifies /etc/shadow in this example)


  • Olly Jun 5, 2011 @ 15:43

    @Zamfir: login.defs defines the defaults that are set up for a user on account creation. These defaults can be overridden by chage or passwd commands. To see what applies to a user, see
    chage -l $user

  • colin Oct 29, 2012 @ 4:17

    I had this question asked on a non LDAP site. Guessing that this would even be difficult using LDAP and Kerebos.

    Can we remember password history for the last 14 logins (ie the user must not be able to use the same password again for at least 14 login attempts) and can we ensure a password complexity of at least 6 characters with a number. I.e. DonaldDaffyGoofeyBugsElmerCoyote9 ? 😉

  • Mani Apr 8, 2016 @ 20:30

    Can anyone help me how to edit this file through shell script. I would really appreciate if someone help me out t I am a newbie in linux scripting world.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum