How to check last password change date of user in Linux/Unix

In this article I will cover below topics:

  • chage command examples
  • check last password change date of system and Active Directory User
  • check password status of user
  • overview on /etc/shadow file format and field
  • check password expiration

 

chage command

The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change their password. It uses /etc/passwd and /etc/shadow to get user's password related details such as to check last password change date, password expiry and aging related information.

 

Check last password change date

For system user

chage command reads last password change date from file /etc/shadow. The date of last password change is stored in 3rd field in file /etc/shadow
To view account aging information for user deepak using chage command

# chage -l deepak
Last password change                                    : Nov 09, 2019
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

 

Understanding shadow file format and fields.

The information is stored not exactly as date+time but as number of days since Jan 1, 1970. Example given below.

test::16681:0:99999:7::19691002:
                        ^
                        |---------- Here

We have 9 fields in /etc/shadow. The meanings of each field in the order they are present:

  • sp_namp - pointer to null-terminated user name
  • sp_pwdp - pointer to null-terminated password
  • sp_lstchg - days since Jan 1, 1970 password was last changed
  • sp_min - days before which password may not be changed
  • sp_max - days after which password must be changed
  • sp_warn - days before password is to expire that user is warned of pending password expiration
  • sp_inact - days after password expires that account is considered inactive and disabled
  • sp_expire - days since Jan 1, 1970 when account will be disabled
  • sp_flag - reserved for future use

As you see the fist section can be used to check last password change date of user

# chage -l deepak |  head -n 1
Last password change                                    : Nov 09, 2019

But the downside here is that root user can also change last password change date using "-d". Here I change user deepak's last password change date to 23rd Nov 2019

# chage -d 2019-11-23 deepak
NOTE:

As you see this option may not be very reliable in some cases so you can rely on /var/log/* files to check the password change history of a user. You can search for strings such as "passwd" or related match depending upon your distribution to get password change history of a user. Anyhow in production environment normal user will not have privilege to change last password change date.

Next check last password change date for user deepak

# chage -l deepak | head -1
Last password change                                    : Nov 23, 2019

 

For Active Directory User

But what if your Linux system is connected to Windows Active Directory, so to check last password change date of AD user you will need access to the Windows Active Directory node. I am not aware of any tool which can show last password change related details of an Active Directory user on Linux.
 
Please do let me know via comment section if you are familiar with any tool. On Windows AD you can use "net user" using powershell to check when password expires for AD user.
Syntax:

net user USERNAME /domain

I have an AD user amit on my RHEL 7 Linux client which is connected to Windows Active Directory

# id golinuxcloud.com\\amit
uid=1407601118(amit) gid=1407600513(domain users) groups=1407600513(domain users)

For example to check last password change date of Active Directory user amit, from the powershell CLI of Windows Server 2012

PS C:\Users\Administrator> net user amit /domain
User name                    amit
Full Name                    admit
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            11/24/2019 12:20:58 PM
Password expires             1/5/2020 12:20:58 PM
Password changeable          11/25/2019 12:20:58 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users
The command completed successfully.

 

Check password expiration in Linux

Using chage command you can also check password expiration date of a user in Linux, and of course change it. Now to check password expiration date of user deepak

# chage -l deepak | head -n2
Last password change                                    : Nov 23, 2019
Password expires                                        : never

So now the password is set to "never expire" for deepak. To change password expiration date of user deepak we will use "-M". Using -M we wet the maximum number of days during which a password is valid. So here we set password expiration after 30 days

# chage -M 30 deepak

Now check password expiration date of deepak

# chage -l deepak | head -n2
Last password change                                    : Nov 23, 2019
Password expires                                        : Dec 23, 2019

 

passwd command

We have another tool passwd command in Linux which most of us mostly use to change password of user. But passwd command can do much more such as, check password status, reset password's failed login attempts, lock and unlock user and many more.

 

Check password status

You can also check password status of user with passwd command. Here -S will output a short information about the status of the password for a given account

# passwd -S deepak
deepak PS 2019-08-31 0 99999 7 -1 (Password set, SHA512 crypt.)

You can also check last password change date of a user using "passwd -S". Observe the third field of below output to check last password change date of the provided user above which is in synch with chage command output from the same Linux machine.

# chage -l deepak | head -n 1
Last password change                                    : Aug 31, 2019

 

In case the password is locked for user deepak, the check password status output would be like below

# passwd -S deepak
deepak LK 2019-11-23 0 30 7 -1 (Password locked.)

 

Lastly I hope the steps from the article to check last password change date and password aging information of system and active directory user in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.