User accounts created on Red Hat Enterprise Linux (RHEL) servers are by default assigned 99,999 days until their password expires. The Center for Internet Security (CIS) provides some advice on controls for hardening systems, and one of these is setting password expirations to 365 days or less. The security team usually enforces this setting, but system administrators must ensure this is done.
Use the /etc/login.defs
file to set password aging policies. All new users inherit the definitions set in login.defs
. You'll use the chage
command to manage password-aging polices.
[ Free download: Advanced Linux commands cheat sheet. ]
In /etc/login.defs
, you can adjust the following parameters to reflect your security policy or control:
- PASS_MAX_DAYS: How many days the password is active before it expires.
- PASS_MIN_DAYS: How many days a password must be active before it can be changed by a user.
- PASS_WARN_AGE: The number of days a warning is issued to the user before an impending password expiry.
The following example modifies your policy such that a password expires after 90 days and cannot be changed until it's been active for seven days, and users are notified five days prior to password expiry:
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 5
Changes made to /etc/login.defs
affect only new users created on the system. For existing users, you must use the chage
command.
You can set the same configuration for existing users with:
$ sudo chage --mindays 7 \
--maxdays 90 --warndays 5 user1
View password age
To view the password age for a user, use the --list
option (-l
for short) with the chage
command. For example, to view password information for user1:
$ sudo chage --list user1
Minimum number of days between password change : 7
Maximum number of days between password change : 90
Number of days of warning before password expires: 5
Password expiry
Use the chage
command to set the expiry date for an account. This setting defines a given date, after which a user account is locked and inaccessible. You can do this with the --expiredate
(-E
for short) option.
For example, to cause the user1 account's password to expire after 90 days, count 90 days forward from the current date (July 15, 2022, in this example):
$ sudo chage -E 2022-07-15 user1
Alternately, use the date
command to do a calculation for you:
$ sudo chage --expiredate \
$(date -d +90days +%Y-%m-%d) user1
Password policies
A password policy is one important part of your organization's security posture. With the chage
command, you can make your systems manage password reminders and expiry dates reliably. Once the security team defines the appropriate settings, sysadmins can check that the settings are applied consistently.
[ Thinking about security? Check out this free guide to boosting hybrid cloud security and protecting your business. ]
저자 소개
I work as Unix/Linux Administrator with a passion for high availability systems and clusters. I am a student of performance and optimization of systems and DevOps. I have passion for anything IT related and most importantly automation, high availability, and security.
유사한 검색 결과
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.