Loading...

VONDS ©

Lab 27: Password Aging and Expiration

Lab Index

Configure password aging controls for a user account using chage and validate the resulting policy state. Practice enabling expiration rules, reviewing the policy, then disabling aging and cleaning up.

users security core

Scenario

You are auditing password policy enforcement on a Linux host. A test account named expiringuser must be created and configured with password aging rules to meet internal standards. You will enforce expiration, minimum change windows, and warning periods, confirm the settings with a policy report, then disable aging and remove the account.

Operator context

This is the workflow you use to prove password aging is actually enforced, not just “set somewhere in a config.”

Objective

  • Create a user account for testing policy.
  • Set a password and enable password expiration rules.
  • Configure minimum age and expiration warning window.
  • Inspect the resulting policy state with chage -l.
  • Disable password aging and clean up the user.

What You’ll Practice

  • Creating users with useradd.
  • Setting passwords with passwd.
  • Enforcing maximum password age with chage -M.
  • Enforcing minimum password age with chage -m.
  • Setting warning days with chage -W.
  • Auditing policy state with chage -l.
  • Disabling aging using chage -M -1.
  • Cleaning up accounts with userdel.

Walkthrough

Step 1 : Create the test user.
Command 
sudo useradd expiringuser

Create a dedicated account so the policy changes are isolated and easy to inspect.

Step 2 : Set a password for the test user.
Command 
sudo passwd expiringuser

Password aging targets password metadata. Set a password first so the “last password change” field is meaningful.

Step 3 : Enable password expiration (max age 30 days).
Command 
sudo chage -M 30 expiringuser

The max age controls how long a password can remain valid before the user is forced to change it.

Step 4 : Set minimum password age to 7 days.
Command 
sudo chage -m 7 expiringuser

Minimum age prevents rapid password cycling and supports stronger password rotation policy enforcement.

Step 5 : Set warning window (5 days).
Command 
sudo chage -W 5 expiringuser

Warning days control when users begin receiving expiration warnings prior to password expiry.

Step 6 : Audit the policy state.
Command 
sudo chage -l expiringuser

This is your proof step: it prints the effective aging configuration attached to the user account. 

Last password change                    : Jul 18, 2025
Password expires                        : Aug 17, 2025
Password inactive                       : never
Account expires                         : never
Minimum number of days between password change : 7
Maximum number of days between password change : 30
Number of days of warning before password expires: 5
Step 7 : Disable password aging for the user.
Command 
sudo chage -M -1 expiringuser

Setting max age to -1 disables expiration, which is useful for service accounts or when removing temporary policy enforcement from a user.

Step 8 : Clean up the test user.
Command 
sudo userdel expiringuser

Remove the user once verification is complete so the host returns to a clean baseline state.

Reference

  • useradd <user> : Creates a new user.
  • passwd <user> : Sets or changes a user password.
  • chage -M <days> <user> : Sets maximum password age (expiration in days).
  • chage -m <days> <user> : Sets minimum password age (days between changes).
  • chage -W <days> <user> : Sets number of warning days before expiration.
  • chage -l <user> : Lists current password aging settings.
  • chage -M -1 <user> : Disables password expiration by setting max age to -1.
  • userdel <user> : Deletes a user account.