How to force regular Linux password change

Password validity is a system mechanism used to force a password to expire after a specific time. This may cause some trouble for the user, but it ensures that the password is changed regularly, which is a good security measure. By default, the majority of Linux sub-installation versions do not enable the password,

Password validity is a system mechanism used to force a password to expire after a specific time. This may cause some trouble for the user, but it ensures that the password is changed regularly, which is a good security measure. By default, the majority of Linux sub-installation versions do not enable the password, but it is very easy to open.

By editing/etc/login. defs, you can specify several parameters to set the default setting of password effectiveness:

PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7

When the password validity period is set to 99999 days, the password validity period is actually disabled. A more sensible setting is generally 60 days-a password is forcibly changed every two months.

The PASS_MIN_DAYS parameter specifies the minimum number of days required after the password is changed. The PASS_WARN_AGE setting specifies the number of days before the password expires to notify the user to change the password (generally, the user will receive a warning when logging on to the system ).

You will also edit the/etc/default/useradd file to find the INACTIVE and EXPIRE Keywords:

INACTIVE = 14
EXPIRE =

This indicates how long after the password expires. if the password is not changed, change the account to the invalid state. In this example, the time is 14 days. The EXPIRE setting is used to set a specific time (in the format of "year-month-date") for all new users ").

Obviously, after these settings are changed, only new users can be affected. To modify the existing user settings, you must use the chage tool.

# Chage-M 60 joe

This command sets the PASS_MAX_DAYS of user joe to 60 and modifies the corresponding shadow file.

You can use the chage-l option to list the validity period of the current account, and use the-m option to set PASS_MIN_DAYS and-W to set PASS_WARN_AGE. The chage tool allows you to change the validity period of all passwords for a specific account.

Note that the chage is only applicable to accounts in the local system. if you use an LDAP-like authentication system, the tool will become invalid. If you are using LDAP for authentication and you are planning to use chage, even if you are trying to list the validity of your password, you will find that chage does not work at all.

It is a good practice to define how long a password must be changed and then enforce the policy. After an employee is dismissed, the password validity policy ensures that the employee cannot find that the password is still available three months after being dismissed. Even if the system administrator ignores the deletion of his account, the account will be automatically locked due to the password validity policy. Of course, this cannot be the reason for not deleting the employee's account in time, but this policy does provide an additional layer of security protection, especially in the past, accounts were often neglected to be cleared in a timely manner.