Loading...

VONDS ©

Lab 27: Password Aging and Expiration

Back to Lab Index

Configure password aging controls for a user account using chage and validate the resulting policy state. Practice enabling expiration rules, reviewing the policy, then disabling aging and cleaning up.

users security core

Scenario

You are auditing password policy enforcement on a Linux host. A test account named expiringuser must be created and configured with password aging rules to meet internal standards. You will enforce expiration, minimum change windows, and warning periods, confirm the settings with a policy report, then disable aging and remove the account.

Operator context

This is the workflow you use to prove password aging is actually enforced, not just set in policy text somewhere.

Objective

  • Create a user account for testing policy.
  • Set a password and enable password expiration rules.
  • Configure minimum age and expiration warning window.
  • Inspect the resulting policy state with chage reporting.
  • Disable password aging and clean up the user.

Concepts

  • Password aging is stored per-user and can be inspected as evidence using chage.
  • Maximum age determines when a password expires. Minimum age prevents immediate re-changes after a rotation.
  • Warning days determine when pre-expiration notices begin before the expiry date.
  • Disabling aging should be deliberate and validated, especially on service accounts.

Walkthrough

Step 1 : Create the test user.
Command 
sudo useradd expiringuser

Create a dedicated account so the policy changes are isolated and easy to inspect.

Step 2 : Set a password for the test user.
Command 
sudo passwd expiringuser

Password aging targets password metadata. Set a password first so the last password change field is meaningful.

Step 3 : Enable password expiration with max age.
Command 
sudo chage -M 30 expiringuser

Maximum age controls how long a password can remain valid before the user must change it.

Step 4 : Enforce minimum password age.
Command 
sudo chage -m 7 expiringuser

Minimum age prevents rapid password cycling and supports stronger password rotation enforcement.

Step 5 : Set the expiration warning window.
Command 
sudo chage -W 5 expiringuser

Warning days control when users begin receiving expiration warnings prior to password expiry.

Step 6 : Audit the policy state.
Command 
sudo chage -l expiringuser

This is your proof step. It prints the effective aging configuration attached to the user account. 

Last password change                    : Jul 18, 2025
Password expires                        : Aug 17, 2025
Password inactive                       : never
Account expires                         : never
Minimum number of days between password change : 7
Maximum number of days between password change : 30
Number of days of warning before password expires: 5
Step 7 : Disable password aging.
Command 
sudo chage -M -1 expiringuser

Setting max age to -1 disables expiration. Validate the result by re-checking the policy report. 

sudo chage -l expiringuser
Step 8 : Remove the test user.
Command 
sudo userdel expiringuser

Remove the user once verification is complete so the host returns to a clean baseline state.

Breakpoints

No password change date

If you run chage before setting a password, the policy output may be confusing because the last-change field is not meaningful. Set the password with passwd and re-check with chage -l.

Policy appears set but user is not forced to rotate

Password aging is only one layer. Login restrictions may also depend on PAM and account state. Confirm the user is not locked and verify policy again using chage -l.

Cleanup leaves home directory behind

This lab uses userdel without removing the home directory. If you created a home directory and want it removed, use userdel -r.

Cleanup checklist

  • Confirm the account no longer exists in the passwd database.
  • Confirm there are no leftover processes owned by the test user.
Commands 
getent passwd expiringuser
ps -u expiringuser

Reference

  • useradd: Creates a new user.
  • passwd: Sets or changes a user password.
  • chage: Manages password aging information.
    • -M: Set maximum password age in days.
    • -m: Set minimum password age in days.
    • -W: Set warning days before expiration.
    • -l: List current aging settings.
  • userdel: Deletes a user account.
  • getent: Queries system databases.
  • ps: Lists processes.
    • -u: Select processes by effective user.