订阅内容

User accounts created on Red Hat Enterprise Linux (RHEL) servers are by default assigned 99,999 days until their password expires. The Center for Internet Security (CIS) provides some advice on controls for hardening systems, and one of these is setting password expirations to 365 days or less. The security team usually enforces this setting, but system administrators must ensure this is done.

Use the /etc/login.defs file to set password aging policies. All new users inherit the definitions set in login.defs. You'll use the chage command to manage password-aging polices.

[ Free download: Advanced Linux commands cheat sheet. ]

In /etc/login.defs, you can adjust the following parameters to reflect your security policy or control:

  • PASS_MAX_DAYS: How many days the password is active before it expires.
  • PASS_MIN_DAYS: How many days a password must be active before it can be changed by a user.
  • PASS_WARN_AGE: The number of days a warning is issued to the user before an impending password expiry.

The following example modifies your policy such that a password expires after 90 days and cannot be changed until it's been active for seven days, and users are notified five days prior to password expiry:

PASS_MAX_DAYS	90
PASS_MIN_DAYS	 7
PASS_WARN_AGE	 5

Changes made to /etc/login.defs affect only new users created on the system. For existing users, you must use the chage command.

You can set the same configuration for existing users with:

$ sudo chage --mindays 7 \
--maxdays 90 --warndays 5 user1

View password age

To view the password age for a user, use the --list option (-l for short) with the chage command. For example, to view password information for user1:

$ sudo chage --list user1
Minimum number of days between password change   : 7
Maximum number of days between password change	 : 90
Number of days of warning before password expires: 5

Password expiry

Use the chage command to set the expiry date for an account. This setting defines a given date, after which a user account is locked and inaccessible. You can do this with the --expiredate (-E for short) option.

For example, to cause the user1 account's password to expire after 90 days, count 90 days forward from the current date (July 15, 2022, in this example):

$ sudo chage -E 2022-07-15 user1

Alternately, use the date command to do a calculation for you:

$ sudo chage --expiredate \
$(date -d +90days +%Y-%m-%d) user1

Password policies

A password policy is one important part of your organization's security posture. With the chage command, you can make your systems manage password reminders and expiry dates reliably. Once the security team defines the appropriate settings, sysadmins can check that the settings are applied consistently.

[ Thinking about security? Check out this free guide to boosting hybrid cloud security and protecting your business. ]


关于作者

I work as Unix/Linux Administrator with a passion for high availability systems and clusters. I am a student of performance and optimization of systems and DevOps. I have passion for anything IT related and most importantly automation, high availability, and security.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

按频道浏览

automation icon

自动化

有关技术、团队和环境 IT 自动化的最新信息

AI icon

人工智能

平台更新使客户可以在任何地方运行人工智能工作负载

open hybrid cloud icon

开放混合云

了解我们如何利用混合云构建更灵活的未来

security icon

安全防护

有关我们如何跨环境和技术减少风险的最新信息

edge icon

边缘计算

简化边缘运维的平台更新

Infrastructure icon

基础架构

全球领先企业 Linux 平台的最新动态

application development icon

应用领域

我们针对最严峻的应用挑战的解决方案

Original series icon

原创节目

关于企业技术领域的创客和领导者们有趣的故事