Provision a new local user and apply password aging controls using shadow-utils tooling.
Verify effective policy with id and chage, then confirm where system-wide defaults are defined.
A new intern has joined your company. You need to create a local account, set an initial password, force a password change on first login, and confirm the effective password aging policy.
User provisioning is not just “create an account.” You need predictable defaults, controlled onboarding, and proof that policy is actually enforced.
intern.useradd creates the account record; defaults depend on local configuration and policy.
passwd updates authentication state in the shadow database, not just a “password prompt.”
chage is the authoritative interface for password aging controls (expire, warn, min/max days).
/etc/login.defs, but per-user state still must be verified.
sudo useradd internThis creates the account entry so the system can manage the user. If home directories or default groups are not created automatically on your system, that behavior is driven by local defaults.
id intern# Example output:
uid=1002(intern) gid=1002(intern) groups=1002(intern)sudo passwd internThis sets the account’s password and updates the relevant authentication state in the shadow database. Use this as part of onboarding before you enforce first-login rotation.
# Example interaction:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfullysudo chage -d 0 intern
Setting the “last password change” date to 0 expires the current password state,
forcing the user to choose a new password at next login.
On next login, the user is prompted to change the password before continuing the session.
chage -l internThis is your audit view. It confirms whether the password is expired, when it will expire, and which warning window and min/max values are active for this account.
# Example output:
Last password change : password must be changed
Password expires : password must be changed
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 30
Number of days of warning before password expires : 7grep -E '^(PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE)' /etc/login.defs
/etc/login.defs is a primary reference for default password aging values used by shadow-utils tooling.
This is where you validate the baseline policy you expect new accounts to inherit.
# Example output:
PASS_MAX_DAYS 30
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
Home directory creation may be disabled by default. Confirm local policy and whether useradd
is configured to create home directories automatically.
Re-check the user’s aging state using chage -l intern. If the last password change is not
expired, re-run chage -d 0 intern.
Defaults do not retroactively rewrite existing accounts. Use chage to enforce policy per user,
then verify with chage -l.
Confirm the account is not locked and that authentication is permitted by local access policy. Check for lock indicators in account state and validate PAM policy separately if needed.
This lab creates a local account. If you are running this on a shared or long-lived system, remove the test user when you are done.
id intern
chage -l intern
sudo userdel -r internThe user is removed cleanly, and the home directory is deleted if it existed.
useradd <user>: Creates a new local user account entry.
passwd <user>: Sets or updates the user’s password.
chage -d 0 <user>: Expires the password immediately so the user must change it at next login.
-d 0: Set “last password change” date to day 0 (forces immediate expiration).chage -l <user>: Displays password aging and expiration details for a user.
-l: List the current aging settings.id <user>: Confirms the account exists and shows UID/GID and group memberships.
grep -E '^(PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE)' /etc/login.defs: Shows default password aging settings.
PASS_MAX_DAYS: Default maximum days a password is valid.PASS_MIN_DAYS: Default minimum days before a password can be changed again.PASS_WARN_AGE: Default warning days before expiration.userdel -r <user>: Removes a local user account and optionally deletes the home directory.
-r: Remove the user’s home directory and mail spool if present.