Password aging is a mechanism that allows the system to
enforce a certain lifetime for passwords. While this may be moderately
inconvenient for users, it ensures that passwords are changed occasionally,
which is a good security practice. Most Linux distributions do not enable
password aging by default, but it’s very easy to enable.
By editing /etc/login.defs,
you can specify a few parameters to set the default settings for password
aging:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
This effectively disables password aging by setting the number
of days that a password is valid to 99,999. A more sensible setting would be 60—forcing
a password change every two months. The PASS_MIN_DAYS setting indicates how many
days need to pass before the user is allowed to change his password since the
last password change. The PASS_WARN_AGE setting indicates how many days prior
to the password expiration that warning notices will be sent to users (i.e.,
when they log in).
You will also edit the /etc/default/useradd
file, looking for the INACTIVE and EXPIRE keywords:
INACTIVE=14
EXPIRE=
This will indicate when to change the account to inactive
after the password has expired, but hasn’t been changed; in this case it would
be 14 days. The EXPIRE setting can set an explicit expiration date for all new
users in the format YYYY-MM-DD.
These settings, of course, only affect newly created users
after the settings have been changed. To update the settings for users that
already exist, use the chage tool:
# chage -M 60 joe
This will set joe’s PASS_MAX_DAYS setting to 60 days and
update the shadow file accordingly. You can use the -l option of chage to list the current account age information, -m to set PASS_MIN_DAYS, -W to set PASS_WARN_AGE, and more. The
chage tool will let you manipulate all aspects of password aging on the
specified account.
Note that chage will only work on local system accounts and
will not work if you are using a system such as LDAP for authentication. If
you’re using LDAP for authentication and you attempt to use chage, even to list
the user’s aging information, you’ll find that chage doesn’t know anything
about the user.
Having a policy to define how often a password needs to be
changed, and then being able to enforce it, is definitely a good thing. In the situation of a laid-off employee, for example, password aging ensures that the former employee
can’t come back three months later to find his account still accessible. Even if the
system administrator neglected to delete the account, the account would be
locked due to the aging configuration. This is, of course, no excuse for not deleting
accounts of users who no longer require access to the system, but it does provide
an extra layer of security, if it were to be overlooked.
Delivered each Tuesday, TechRepublic’s free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!