Managing User Password Expiration with chage

I want to talk a little about a Linux tool called chage which should be available on most Linux distributions with base installation. Yes chage this is not a typo. It is a tool to view and change the user password expiry information. It can be used to list the current password status of a user and also to set the password expiry information. I encountered it when one day after installing some service on a Linux server it just refused to work as expected. The root cause of it all was the dedicated user’s password had expired. You can get the details of the user password expiry information by running sudo chage -l youruser. The output will look something like this:

Last password change                                    : Aug 27, 2021
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : -1
Maximum number of days between password change          : -1
Number of days of warning before password expires       : -1

If you’re unsure about the expiration of your users’ passwords, you can do a simple loop over the users to check that.

for u in $(cut -d ':' -f 1 /etc/passwd); do
    exp=$(sudo chage -l $u | grep 'Password expires')
    echo "$u $exp"
done | column -t

You can also use a tool like userdbctl to iterate over users if you have systemd based Linux distribution. For example userdbctl -R --output=classic will list regular users omitting system users and present them in a classic : delimited manner. The output can also be specified as json if you want to do some further automation. Chances are, that all the lines will say that the password never expires, but you may find something unexpected.

In my case I had a user with an expired password, so I had to reset. This can be done by running sudo chage -E -1 myuser which will set the account to never expire. I also had to do sudo usermod -U myuser to unlock the account. You can also do the opposite and set the password to expire in a certain amount of days by running sudo chage -M 30 myuser. I encourage you to look more into this command by reading the manual man chage.