Loading...

VONDS ©

Lab 149: RHCSA chage Password Aging Controls — fatima Remediation Workflow

Back to Lab Index

Audit and remediate a user’s password aging policy using chage . Apply minimum/maximum age, warning window, inactivity after expiry, account expiration date, and force a password change at next login. Verify the final state and leave the account in a sane, standards-aligned configuration.

users security core

Scenario

User fatima was locked out after a policy change. Security wants the account aligned to the new standard:

  • Min days between changes: 7
  • Max password age: 90
  • Warning: 14 days
  • Inactive: 30 days after password expiry
  • Account expires: 2025-12-31
  • Force password change at next login
Operator context

This is a targeted remediation. First prove current policy, then apply each control explicitly, then verify the final state using chage -l .

Objective

  • Review the current password aging configuration for fatima.
  • Set minimum days between changes to 7.
  • Set maximum password age to 90.
  • Set password expiry warning window to 14.
  • Set inactivity window to 30 days after password expiry.
  • Set account expiration date to 2025-12-31.
  • Force a password change at next login.
  • Set the last password change date to 2025-06-01.
  • Verify the updated policy.

Concepts

  • Reading password aging state with chage -l .
  • Password aging controls: -m (min), -M (max), -W (warning).
  • Post-expiry behavior: -I (inactive days after password expiry).
  • Account expiration: -E (date the account expires, independent of password expiry).
  • Password change enforcement: -d 0 (force change next login) and -d YYYY-MM-DD (set last change date).
  • The difference between password expiry, password inactive, and account expiry in operational terms.

Walkthrough

Step 1 : Display the current password aging info for fatima.
Command 
sudo chage -l fatima

Start by collecting the current state. This gives you a baseline and prevents “I think I set it” drift. It also shows the computed dates (expires/inactive/account expiry) which you can sanity-check against policy. 

Last password change                                    : May 20, 2025
Password expires                                        : Aug 18, 2025
Password inactive                                       : Sep 17, 2025
Account expires                                         : Dec 31, 2025
Minimum number of days between password change          : 7
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 14
Step 2 : Set minimum days between password changes to 7.
Command 
sudo chage -m 7 fatima

Minimum age prevents rapid password cycling and supports policy compliance. This setting affects when the user is allowed to change the password again after a change.

Step 3 : Set maximum password age to 90 days.
Command 
sudo chage -M 90 fatima

Maximum age defines when the password expires. Once expired, the account may still be usable depending on system policy, but password-based login typically requires a change.

Step 4 : Set warning window to 14 days.
Command 
sudo chage -W 14 fatima

Warning days control when the user starts receiving expiry warnings. This reduces surprise lockouts and improves compliance.

Step 5 : Set inactive period to 30 days after password expiry.
Command 
sudo chage -I 30 fatima

After the password expires, the account can remain usable for a grace period depending on configuration. Once the inactivity window is reached, the password becomes inactive and the account is effectively disabled for password-based login until remediated.

Step 6 : Set the account expiration date to 2025-12-31.
Command 
sudo chage -E 2025-12-31 fatima

Account expiration is independent of password expiration. On the expiration date, the account is expired regardless of password state.

Step 7 : Force a password change at next login.
Command 
sudo chage -d 0 fatima

Setting the last password change date to 0 forces an immediate change on next login. This is common after remediation or when resetting credentials.

Step 8 : Set the last password change date to 2025-06-01.
Command 
sudo chage -d 2025-06-01 fatima

This sets an explicit last-change date which affects when the password expires based on the maximum age. In practice, you would use either -d 0 to force a change or set a specific last-change date, based on the remediation intent.

Step 9 : Verify the updated aging policy.
Command 
sudo chage -l fatima

Verification is the deliverable. Confirm the min/max/warn values, check the computed expiry and inactive dates, and ensure the account expiry date matches the standard. 

Last password change                                    : Jun 01, 2025
Password expires                                        : Aug 30, 2025
Password inactive                                       : Sep 29, 2025
Account expires                                         : Dec 31, 2025
Minimum number of days between password change          : 7
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 14

Common breakpoints

chage fails: “Permission denied”

Password aging settings modify shadow metadata. Run with sudo and ensure you have privileges to manage local accounts.

Dates do not match expectations after setting -M/-d

The computed expiry date depends on the last password change date plus the maximum age. If you set -d 0 and then set a specific -d YYYY-MM-DD later, the second command defines the final state.

Account expiry versus password expiry confusion

Password expiry controls credential validity. Account expiry ( -E ) disables the account on that date regardless of password settings.

Inactive is set, but user still can’t log in immediately

Inactive days apply after the password expires. If the user is locked out for other reasons (locked password, expired account, PAM policy), you may need additional checks outside chage.

Cleanup checklist

This lab leaves the account configured per the stated standard. If you are using a disposable lab user, your cleanup is confirming the final state and documenting the settings you applied.

Commands 
sudo chage -l fatima
Success signal

chage -l shows min/max/warn/inactive/account-expiry values matching policy, and computed dates that align with your configured last-change date.

Reference

  • chage -l <user> : Displays password aging information for a user.
  • chage -m <days> <user> : Sets the minimum number of days between password changes.
    • -m : Minimum days between changes.
  • chage -M <days> <user> : Sets the maximum number of days a password is valid.
    • -M : Maximum days before password expires.
  • chage -W <days> <user> : Sets the warning days before password expiration.
    • -W : Warning window.
  • chage -I <days> <user> : Sets inactivity days after password expiration.
    • -I : Days after expiry before password becomes inactive.
  • chage -E <YYYY-MM-DD> <user> : Sets the account expiration date.
    • -E : Account expires on the specified date.
  • chage -d 0 <user> : Forces a password change at next login.
    • -d 0 : Sets last-change to epoch day 0 to force change.
  • chage -d <YYYY-MM-DD> <user> : Sets the last password change date explicitly.
    • -d : Last password change date (affects computed expiry).