A Free Software Knowledge Base
A compilation of documentation   { en , fr }

Force a user to change the password of their system account

Tags:
Created on:
Last edited on:
Author:
Xavier Béguin
Version in French: Forcer un utilisateur à changer le mot de passe de son compte système

The appropriate commands

The command chage

On UNIX type systems (to which the GNU/Linux belongs), the command chage (for change age, and that is reserved for superuser use) enables to reset the number of days since the last password change of an account. This will have the effect to force the user to change their password on their next connection.

For instance, to force the user with the login hkrustofski to change his password, the superuser (usually the root account) can use the following command :

~# chage -d 0 hkrustofski

The command passwd

The option -e of the command passwd (which is mainly used to change the account's password on the command line) allows the superuser to commit the same operation as above. The following command has the same effect as the command chage provided above :

~# passwd -e hkrustofski

Consequence for the user

On their next authentication, the system will ask the user to enter their current password, then to choose a new password by entering it twice. This will work should the user connect using SSH (using a password), using a text console, or using most graphical consoles (like gdm on Gnome, for example).

Verifying the state of a user password

Using the command chage

chage enables the system administrator, through its option -l, to see the information the system user database keeps on the validity of the password of an account. Here an example of use, before resetting the number of days since the last password change:

~# chage -l hkrustofski
Last password change           : oct. 22, 2014
Password expires               : never
Password inactive              : never
Account expires                : never
Minimum number of days between password change      : 0
Maximum number of days between password change      : 99999
Number of days of warning before password expires   : 7

And here is the output of the same command after the superuser has use the command chage -d 0 hkrustofski:

~# chage -d 0 hkrustofski
~# chage -l hkrustofski
Last password change			: password must be changed
Password expires				: password must be changed
Password inactive				: password must be changed
Account expires					: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

Using the command passwd

The command passwd -S <login> enables to display about the same information in a more condensed format:

~# passwd -S hkrustofski
centipede L 10/22/2014 0 99999 7 -1

The information displayed by passwd -S are described in the manual page passwd(1), and are composed of seven fields:

Display account status information. The status information consists of 7 fields. The first field is the user's login name. The second field indicates if the user account has a locked password (L), has no password (NP), or has a usable password (P). The third field gives the date of the last password change. The next four fields are the minimum age, maximum age, warning period, and inactivity period for the password. These ages are expressed in days.

  • the user's login name;
  • an indicator of the state of the password:
    • L if the password is locked,
    • NP if the account has no password,
    • P if the account has a usable password;
  • the date of the last password change (in the US format month/day/year);
  • the minimal number of days before possible password change;
  • the maximal number of days of validity of the password before a forced change;
  • the number of days of warning before the password expires;
  • the allowed number of days of inactivity after a password has expired before the account is locked.

Using the option -a in addition to option -S instead of providing a account name, passwd will print this information for all the system accounts.

Note that the use of these commands is reserved to the system administrator.

Additional functionalities for password management

As it can be guessed from the information output by the command chage -l, the system also allows to implement a regular user password change policy and thus:

  • to have the user account expire on a specific date or after a specific period of inactivity;
  • to define a minimal number of days before the user can change their password;
  • to define a maximal number of days before the user is forced to change their password.

These parameters can be set for a specific account thanks to the command chage and also, for some of them, thanks to the command passwd. As for the file /etc/login.defs, it can be used to define these parameters for all newly created user accounts.

For more information on these additional functionalities, consult the manual pages for the commands using man chage or man passwod, or the page login.defs(5) of the manual for the file /etc/login.defs available through the command man 5 login.defs.