Provision a new user, set an initial password, and enforce a first-login password reset as a baseline onboarding workflow. Inspect and tighten password aging with chage so the account doesn’t drift into never-expire defaults.
A new local user account needs to be onboarded on a production system. You must set an initial password, force a password change at next login, and enforce a baseline aging policy so the account does not drift into “never expires” defaults.
Treat this as a standard access workflow: establish a temporary credential, force the user to set a private secret on first login, then apply minimum, maximum, and warning controls to align with account lifecycle policy.
appuser
(if missing).
passwd -e
.
chage -l
.
chage
controls for minimum, maximum, and warning days.
appuser.
sudo useradd -m appuser
-m
ensures a home directory is created. If the user already
exists, confirm you are working on the correct account
before modifying password state.
# If the user already exists, you might see:
useradd: user 'appuser' already existsappuser.
sudo passwd appuserThis establishes a usable credential. The user will be forced to replace it at first login in the next step.
Changing password for user appuser.
New password: ********
Retype new password: ********
passwd: password updated successfullysudo passwd -e appuserThis expires the password immediately. The next successful login forces the user to set a new secret that only they know.
passwd: password expiry information changed.sudo chage -l appuserCapture the “before” snapshot so you can validate policy changes cleanly. Focus on minimum days, maximum days, and warning days.
# Example output (varies by distro/config):
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7sudo chage -m 7 -M 90 -W 7 appuser
This enforces a minimum of 7 days between changes, a maximum
lifetime of 90 days, and a 7-day warning window. Re-run
chage -l
to confirm the new values took effect.
sudo chage -l appuser
Continue with the password and aging steps. Confirm the
account is the intended target with
getent passwd appuser
before changing password state.
Confirm the account is local and not managed by centralized identity (LDAP/SSSD). On centrally managed systems, local password changes may be disallowed or apply only to local users.
Re-run
chage -l
and confirm you targeted the correct user. If policy is
enforced centrally, local changes may be overridden by
directory policy or management tooling.
This lab creates a local test account. If you do not need the user afterward, remove the account and its home directory to return the system to baseline.
sudo userdel -r appuseruseradd
: Create a new local user account.
-m
: Create the user’s home directory.
passwd
: Set or update a user password.
-e
: Expire the password immediately (force reset at next
login).
chage
: Display or modify password aging policy for a user.
-l
: Display password aging information.
-m
: Set the minimum days between password changes.
-M
: Set the maximum password age in days.
-W
: Set warning days before password expiration.
userdel
: Remove a local user account.
-r
: Remove the user’s home directory and mail spool.
getent passwd <user>
: Confirm a user account exists and identify its source.
getent
queries the configured NSS sources (local files, SSSD,
LDAP, etc.).