Source From Here
Preface
Best practice recommends that users keep changing the passwords at a regular interval. But typically developers and other users of Linux system won’t change the password unless they are forced to change their password. It’s the system administrators responsibility to find a way to force developers to change their password. Forcing users to change their password with a gun on their head is not an option!. While most security conscious sysadmins may be even tempted to do that.
In this article let us review how you can use Linux chage command to perform several practical password aging activities including how-to force users to change their password.
7 Examples to Manage Linux Password Expiration and Aging
1. List the password and its related details for an user
As shown below, any user can execute the chage command for himself to identify when his password is about to expire.
If user peter tries to execute the same command for user john, he’ll get the following permission denied message.
Note: However, a root user can execute chage command for any user account.
When user peter changes his password on Jun 03, 2017, it will update the “Last password change” value as shown below.
Please refer to our earlier article: Best Practices and Ultimate Guide For Creating Super Strong Password, which will help you to follow the best practices while changing password for your account.
2. Set Password Expiry Date for an user using chage option -M
Root user (system administrators) can set the password expiry date for any user. In the following example, user peter password is set to expire 10 days from the last password change. Please note that option -M will update both “Password expires” and “Maximum number of days between password change” entries as shown below.
3. Password Expiry Warning message during login
By default the number of days of warning before password expires is set to 7. So, in the above example, when the user peter tries to login on Jun 7, 2017 — he’ll get the following message.
4. User Forced to Change Password after Expiry Date
If the password expiry date reaches and user doesn’t change their password, the system will force the user to change the password before the login as shown below:
5. Set the Account Expiry Date for an User
You can also use chage command to set the account expiry date as shown below using option -E. The date given below is in “YYYY-MM-DD” format. This will update the “Account expires” value as shown below.
6. Force the user account to be locked after X number of inactivity days
Typically if the password is expired, users are forced to change it during their next login. You can also set an additional condition, where after the password is expired, if the user never tried to login for 10 days, you can automatically lock their account using option -I as shown below. In this example, the “Password inactive” date is set to 10 days from the “Password expires” value:
Once an account is locked, only system administrators will be able to unlock it.
7. How to disable password aging for an user account
To turn off the password expiration for an user account, set the following:
For example:
Preface
Best practice recommends that users keep changing the passwords at a regular interval. But typically developers and other users of Linux system won’t change the password unless they are forced to change their password. It’s the system administrators responsibility to find a way to force developers to change their password. Forcing users to change their password with a gun on their head is not an option!. While most security conscious sysadmins may be even tempted to do that.
In this article let us review how you can use Linux chage command to perform several practical password aging activities including how-to force users to change their password.
7 Examples to Manage Linux Password Expiration and Aging
1. List the password and its related details for an user
As shown below, any user can execute the chage command for himself to identify when his password is about to expire.
If user peter tries to execute the same command for user john, he’ll get the following permission denied message.
Note: However, a root user can execute chage command for any user account.
When user peter changes his password on Jun 03, 2017, it will update the “Last password change” value as shown below.
Please refer to our earlier article: Best Practices and Ultimate Guide For Creating Super Strong Password, which will help you to follow the best practices while changing password for your account.
2. Set Password Expiry Date for an user using chage option -M
Root user (system administrators) can set the password expiry date for any user. In the following example, user peter password is set to expire 10 days from the last password change. Please note that option -M will update both “Password expires” and “Maximum number of days between password change” entries as shown below.
3. Password Expiry Warning message during login
By default the number of days of warning before password expires is set to 7. So, in the above example, when the user peter tries to login on Jun 7, 2017 — he’ll get the following message.
4. User Forced to Change Password after Expiry Date
If the password expiry date reaches and user doesn’t change their password, the system will force the user to change the password before the login as shown below:
5. Set the Account Expiry Date for an User
You can also use chage command to set the account expiry date as shown below using option -E. The date given below is in “YYYY-MM-DD” format. This will update the “Account expires” value as shown below.
6. Force the user account to be locked after X number of inactivity days
Typically if the password is expired, users are forced to change it during their next login. You can also set an additional condition, where after the password is expired, if the user never tried to login for 10 days, you can automatically lock their account using option -I as shown below. In this example, the “Password inactive” date is set to 10 days from the “Password expires” value:
Once an account is locked, only system administrators will be able to unlock it.
7. How to disable password aging for an user account
To turn off the password expiration for an user account, set the following:
For example:
沒有留言:
張貼留言