使用chage指令来管理linux用户和密码有效期
2019-03-10 13:02:41 
阿炯
Linux中用户和密码有效期限可以调用chage指令来设置,注意这里是对已经存在于系统中的用户,而不是添加用户之时。当然在调用useradd添加用户时可以指定其过期的时间,而chage指令为用户的过期与否提供了更多的功能。该指令需要有一个影子密码文件才可用。只有 root 才可以使用 chage,一个特殊情况是 -l 选项,用来让非特权用户觉得自己的密码或账户何时过期。
chage [options] USERNAME
You can choose from plenty of options—the most immediately useful of those options are:
-E Set the expire date for a user password. The date is expressed in the format YYYY-MM-DD.
-I Set the number of inactive days allowed, after a password expires, before the account is locked.
-l List the account aging information.
-m Set the minimum number of days allowed between password changes. Setting this option to 0 allows the user to change their password at any time.
-M Set the maximum number of days in which a password is valid.
-W Set the number of days of warning before a user must change their password.
语法
chage [选项] 用户名
选项
-m:密码可更改的最小天数。为零时代表任何时候都可以更改密码。
-M:密码保持有效的最大天数。
-w:用户密码到期前,提前收到警告信息的天数。
-E:帐号到期的日期。过了这天,此帐号将不可用。
-d:上一次更改的日期。设置为0意味着该用户下次登录时就必须修改其密码。
-i:停滞时期。如果一个密码已过期多少天,那么此帐号将不可用。
-l:例出当前的设置。由非特权用户来确定他们的密码或帐号何时过期。
list the account aging information for freeoa. To do this, we issue the command:
chage -l freeoa
let's set freeoa's password to expire on July 10, 2016. The command would be:
chage -E 2016-07-10 freeoa
A better way to set an expiration date is to set the number of days since the last password change; this will remain in effect until the administrator removes or changes that option. Say you want passwords to be changed every 30 days,you would issue the command:
chage -E 30 freeoa
The next time the user changes their password, the days between will reset, and they will have a fresh 30 days before their password expires.
If you've added an explicit expiration date, you can remove it with the command:
chage -E -1 freeoa
Our next move will be to give the user a warning that their password will expire. By default, the warning will be issued seven days in advance (this is only set once you create an expiration date for the password or the number of days between password changes). Let's change that warning to one day in advance. To set this by issue the command:
chage -W 1 freeoa
You can set the number of days after a password has expired before an account will be locked. Once an account is locked, it can only be unlocked by an administrator. To set this option, the command would look like:
chage -I 10 freeoa
Once that command has been issued, the account for freeoa will lock 10 days after her password has expired. This particular option does not show in the chage -l command, so a user will not know how many days they have, after their password has expired, before the account is locked.
一旦发出该命令,freeoa帐户将在其密码过期10天后锁定。这个特定的选项不会显示在chage-l命令中,因此用户将不知道在密码过期之后,在帐户被锁定之前他们有多少天。
Change password expiry in Linux
'chage' is the command to list & change the password aging information for Linux user account. The chage command changes the number of days between password expiry and the current date. Here's a real quick on how to show the expiration date of a particular linux user account.
Listing password aging for user:
chage command with option -l shows the password expiry details of a user. In this example, the user's last password change was on Dec 25th 2017 and it expires in 90 days. The user will be notified within login 7 days before expiry.
Syntax: chage –-list username (or) chage -l username
# chage -l freeoa
Last password change : Dec 25, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
Change the number of days to expire:
Use -M option and provide the number of days for expiry.
Syntax: # chage -M number-of-days username
# chage -M 120 freeoa
# chage -l freeoa
Last password change : Jan 25, 2018
Password expires : May 25, 2018
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 120
Number of days of warning before password expires : 7
By default the number of days of warning before password expires is set to 7. Warning: your password will expire in 3 days.You can also use chage command to set the account expiry date as shown below using option -E. The date given below is in 'YYYY-MM-DD' format. This will update the 'Account expires' value as shown below.
# chage -E "2019-05-31" freeoa
Change the password to never expire:
You can use chage to make the password never expire with the below options. This sets password and the account to never expire.
# chage -m 0 -M 99999 -I -1 -E -1 freeoa
# chage -l freeoa
Last password change : Jan 25, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Disable password aging for an user account
To turn off the password expiration for an user account, set the following:
-m 0 will set the minimum number of days between password change to 0
-M 99999 will set the maximum number of days between password change to 99999
-I -1 (number minus one) will set the 'Password inactive' to never
-E -1 (number minus one) will set “Account expires” to never.
# chage -m 0 -M 99999 -I -1 -E -1 freeoa
Change account expiry to specific date:
You can set the account to expire on specific day or +N number of days from the current date. Here are the examples using chage -E option.
# chage -E 2019-05-12 freeoa
or
# chage -E $(date -d +180days +%Y-%m-%d) freeoa
# chage -l freeoa
Last password change : never
Password expires : never
Password inactive : never
Account expires : May 12, 2019
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Force the user account to be locked after X number of inactivity days
强制在x个非活动天数后锁定用户帐户
Typically if the password is expired, users are forced to change it during their next login. You can also set an additional condition, where after the password is expired, if the user never tried to login for 10 days, you can automatically lock their account using option -I as shown below. In this example, the 'Password inactive' date is set to 10 days from the 'Password expires' value.
通常,如果密码过期,用户在下次登录时会被迫更改密码。您还可以设置一个附加条件,在密码过期后,如果用户10天内从未尝试登录,可以使用选项-i自动锁定他们的帐户,如下所示。在本例中,“密码未激活”日期设置为“密码过期”值的10天。
Once an account is locked, only system administrators will be able to unlock it.
一旦帐户被锁定,只有系统管理员才能将其解锁。
# chage -I 10 freeoa
可以编辑/etc/login.defs来设定几个参数,以后设置口令默认就按照参数设定为准:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
当然在/etc/default/useradd(如果存在)可以找到如下2个参数进行设置:
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
通过修改配置文件,能对之后新建用户起作用,而目前系统已经存在的用户,则直接用chage来配置。
chage [options] USERNAME
You can choose from plenty of options—the most immediately useful of those options are:
-E Set the expire date for a user password. The date is expressed in the format YYYY-MM-DD.
-I Set the number of inactive days allowed, after a password expires, before the account is locked.
-l List the account aging information.
-m Set the minimum number of days allowed between password changes. Setting this option to 0 allows the user to change their password at any time.
-M Set the maximum number of days in which a password is valid.
-W Set the number of days of warning before a user must change their password.
语法
chage [选项] 用户名
选项
-m:密码可更改的最小天数。为零时代表任何时候都可以更改密码。
-M:密码保持有效的最大天数。
-w:用户密码到期前,提前收到警告信息的天数。
-E:帐号到期的日期。过了这天,此帐号将不可用。
-d:上一次更改的日期。设置为0意味着该用户下次登录时就必须修改其密码。
-i:停滞时期。如果一个密码已过期多少天,那么此帐号将不可用。
-l:例出当前的设置。由非特权用户来确定他们的密码或帐号何时过期。
list the account aging information for freeoa. To do this, we issue the command:
chage -l freeoa
let's set freeoa's password to expire on July 10, 2016. The command would be:
chage -E 2016-07-10 freeoa
A better way to set an expiration date is to set the number of days since the last password change; this will remain in effect until the administrator removes or changes that option. Say you want passwords to be changed every 30 days,you would issue the command:
chage -E 30 freeoa
The next time the user changes their password, the days between will reset, and they will have a fresh 30 days before their password expires.
If you've added an explicit expiration date, you can remove it with the command:
chage -E -1 freeoa
Our next move will be to give the user a warning that their password will expire. By default, the warning will be issued seven days in advance (this is only set once you create an expiration date for the password or the number of days between password changes). Let's change that warning to one day in advance. To set this by issue the command:
chage -W 1 freeoa
You can set the number of days after a password has expired before an account will be locked. Once an account is locked, it can only be unlocked by an administrator. To set this option, the command would look like:
chage -I 10 freeoa
Once that command has been issued, the account for freeoa will lock 10 days after her password has expired. This particular option does not show in the chage -l command, so a user will not know how many days they have, after their password has expired, before the account is locked.
一旦发出该命令,freeoa帐户将在其密码过期10天后锁定。这个特定的选项不会显示在chage-l命令中,因此用户将不知道在密码过期之后,在帐户被锁定之前他们有多少天。
Change password expiry in Linux
'chage' is the command to list & change the password aging information for Linux user account. The chage command changes the number of days between password expiry and the current date. Here's a real quick on how to show the expiration date of a particular linux user account.
Listing password aging for user:
chage command with option -l shows the password expiry details of a user. In this example, the user's last password change was on Dec 25th 2017 and it expires in 90 days. The user will be notified within login 7 days before expiry.
Syntax: chage –-list username (or) chage -l username
# chage -l freeoa
Last password change : Dec 25, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
Change the number of days to expire:
Use -M option and provide the number of days for expiry.
Syntax: # chage -M number-of-days username
# chage -M 120 freeoa
# chage -l freeoa
Last password change : Jan 25, 2018
Password expires : May 25, 2018
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 120
Number of days of warning before password expires : 7
By default the number of days of warning before password expires is set to 7. Warning: your password will expire in 3 days.You can also use chage command to set the account expiry date as shown below using option -E. The date given below is in 'YYYY-MM-DD' format. This will update the 'Account expires' value as shown below.
# chage -E "2019-05-31" freeoa
Change the password to never expire:
You can use chage to make the password never expire with the below options. This sets password and the account to never expire.
# chage -m 0 -M 99999 -I -1 -E -1 freeoa
# chage -l freeoa
Last password change : Jan 25, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Disable password aging for an user account
To turn off the password expiration for an user account, set the following:
-m 0 will set the minimum number of days between password change to 0
-M 99999 will set the maximum number of days between password change to 99999
-I -1 (number minus one) will set the 'Password inactive' to never
-E -1 (number minus one) will set “Account expires” to never.
# chage -m 0 -M 99999 -I -1 -E -1 freeoa
Change account expiry to specific date:
You can set the account to expire on specific day or +N number of days from the current date. Here are the examples using chage -E option.
# chage -E 2019-05-12 freeoa
or
# chage -E $(date -d +180days +%Y-%m-%d) freeoa
# chage -l freeoa
Last password change : never
Password expires : never
Password inactive : never
Account expires : May 12, 2019
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Force the user account to be locked after X number of inactivity days
强制在x个非活动天数后锁定用户帐户
Typically if the password is expired, users are forced to change it during their next login. You can also set an additional condition, where after the password is expired, if the user never tried to login for 10 days, you can automatically lock their account using option -I as shown below. In this example, the 'Password inactive' date is set to 10 days from the 'Password expires' value.
通常,如果密码过期,用户在下次登录时会被迫更改密码。您还可以设置一个附加条件,在密码过期后,如果用户10天内从未尝试登录,可以使用选项-i自动锁定他们的帐户,如下所示。在本例中,“密码未激活”日期设置为“密码过期”值的10天。
Once an account is locked, only system administrators will be able to unlock it.
一旦帐户被锁定,只有系统管理员才能将其解锁。
# chage -I 10 freeoa
可以编辑/etc/login.defs来设定几个参数,以后设置口令默认就按照参数设定为准:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
当然在/etc/default/useradd(如果存在)可以找到如下2个参数进行设置:
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
通过修改配置文件,能对之后新建用户起作用,而目前系统已经存在的用户,则直接用chage来配置。