Linux turn OFF password expiration / aging

Posted on in Categories Debian Linux, Howto, Linux, RedHat/Fedora Linux, Security, Suse Linux, Sys admin, Tip of the day, Tips, Troubleshooting, Ubuntu Linux last updated May 22, 2007

/etc/shadow stores actual password in encrypted format for user’s account with additional properties related to user password.

The password expiration information for a user is contained in the last 6 fields. Password expiration for a select user can be disabled by editing the /etc/shadow file

However I recommend using chage command. The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.

To list current aging type chage command as follows:
# chage -l vivek
Output:

Last password change                                    : May 22, 2007
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

To disable password aging / expiration for user foo, type command as follows and set:
Minimum Password Age to 0
Maximum Password Age to 99999
Password Inactive to -1
Account Expiration Date to -1
Interactive mode command:
# chage username
OR
# chage -I -1 -m 0 -M 99999 -E -1 username

Updated for accuracy.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

25 comment

  1. The simplest way to change the command-line version so that it actually works is as follows:
    # chage -I -1 -m 0 -M 99999 -E -1 username

    Most shells (certainly bash) require escaping ‘-‘ characters.

    1. wow this is the most retarded thing i have read today.
      “-” does not need to be escaped in any shell as it has no special meaning, it is just a convention used in most unix programs to identify option parameters (it is a slash under most windows utils, e.g. “ipconfig /a”). characters you may need to escape are ” or ‘ or $ or ` and so on (see http://www.gnu.org/software/bash/manual/bashref.html#Quoting ).
      you ‘may’ need to tell a program to not read a for example a file name “rm -my_file_name.txt” as an option via “rm — -my_file_name.txt” but thats about it.

      the original code snippet /actually/ works without any escaping.

  2. James,

    Try something as follows to list permission for all user (backup your /etc/passwd and /etc/shadow before you run following commands) :
    awk -F':' '{ if ( $3 >= 1000 ) print $0 }' /etc/passwd | cut -d: -f1 | xargs -I {} chage -l {}

    Replace chage -l with ‘chage -I -1 -m 0 -M 99999 -E -1’

    awk -F':' '{ if ( $3 >= 1000 ) print $0 }' /etc/passwd | cut -d: -f1 | xargs -I {} chage -I -1 -m 0 -M 99999 -E -1 {}

  3. I get this error while executing the command,

    [root@lnxtestsrv1 ~]# awk -F ':' '{ if ( $3 >= 1000 ) print $1 }' /etc/passwd | xargs -I {} chage -I -1 -m 0 -M 99999 -E -1 {}
    xargs: invalid option -- I
    Usage: xargs [-0prtx] [-E eof-str] [-e[eof-str]] [-I replace-str]
           [-i[replace-str]] [-L max-lines] [-l[max-lines]] [-n max-args]
           [-s max-chars] [-P max-procs] [--null] [--eof[=eof-str]]
           [--replace[=replace-str]] [--max-lines[=max-lines]] [--interactive]
           [--max-chars=max-chars] [--verbose] [--exit] [--max-procs=max-procs]
           [--max-args=max-args] [--no-run-if-empty] [--version] [--help]
           [command [initial-arguments]]
    
    Report bugs to .
  4. awk -F’:’ ‘{ if ( $3 >= 1000 ) print $0 }’ /etc/passwd | cut -d: -f1 | xargs -I {} chage -l {}
    Last password change : Aug 06, 2012
    Password expires : never
    Password inactive : never
    Account expires : never
    Minimum number of days between password change : 0
    Maximum number of days between password change : 99999
    Number of days of warning before password expires : 7

    I am getting only this much output.how can I change the policy for all user?

Leave a Comment