In this article I will cover below topics:
- chage command examples
- check last password change date of system and Active Directory User
- check password status of user
- overview on
/etc/shadow
file format and field - check password expiration
chage command
The chage
command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change their password. It uses /etc/passwd
and /etc/shadow
to get user's password related details such as to check last password change date, password expiry and aging related information.
Check last password change date
For system user
chage
command reads last password change date from file /etc/shadow
. The date of last password change is stored in 3rd field in file /etc/shadow
To view account aging information for user deepak
using chage
command
# chage -l deepak Last password change : Nov 09, 2019 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Understanding shadow file format and fields.
The information is stored not exactly as date+time but as number of days since Jan 1, 1970. Example given below.
test::16681:0:99999:7::19691002:
^
|---------- Here
We have 9 fields in /etc/shadow. The meanings of each field in the order they are present:
- sp_namp - pointer to null-terminated user name
- sp_pwdp - pointer to null-terminated password
- sp_lstchg - days since Jan 1, 1970 password was last changed
- sp_min - days before which password may not be changed
- sp_max - days after which password must be changed
- sp_warn - days before password is to expire that user is warned of pending password expiration
- sp_inact - days after password expires that account is considered inactive and disabled
- sp_expire - days since Jan 1, 1970 when account will be disabled
- sp_flag - reserved for future use
As you see the fist section can be used to check last password change date of user
# chage -l deepak | head -n 1
Last password change : Nov 09, 2019
But the downside here is that root user can also change last password change date using "-d
". Here I change user deepak's
last password change date to 23rd Nov 2019
# chage -d 2019-11-23 deepak
/var/log/*
files to check the password change history of a user. You can search for strings such as "passwd
" or related match depending upon your distribution to get password change history of a user. Anyhow in production environment normal user will not have privilege to change last password change date.Next check last password change date for user deepak
# chage -l deepak | head -1
Last password change : Nov 23, 2019
For Active Directory User
But what if your Linux system is connected to Windows Active Directory, so to check last password change date of AD user you will need access to the Windows Active Directory node. I am not aware of any tool which can show last password change related details of an Active Directory user on Linux.
Please do let me know via comment section if you are familiar with any tool. On Windows AD you can use "net user
" using powershell to check when password expires for AD user.
Syntax:
net user USERNAME /domain
I have an AD user amit
on my RHEL 7 Linux client which is connected to Windows Active Directory
# id www.golinuxcloud.com\\amit uid=1407601118(amit) gid=1407600513(domain users) groups=1407600513(domain users)
For example to check last password change date of Active Directory user amit
, from the powershell CLI of Windows Server 2012
PS C:\Users\Administrator> net user amit /domain
User name amit
Full Name admit
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/24/2019 12:20:58 PM
Password expires 1/5/2020 12:20:58 PM
Password changeable 11/25/2019 12:20:58 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
Check password expiration in Linux
Using chage
command you can also check password expiration date of a user in Linux, and of course change it. Now to check password expiration date of user deepak
# chage -l deepak | head -n2 Last password change : Nov 23, 2019 Password expires : never
So now the password is set to "never expire
" for deepak
. To change password expiration date of user deepak
we will use "-M
". Using -M
we wet the maximum number of days during which a password is valid. So here we set password expiration after 30 days
# chage -M 30 deepak
Now check password expiration date of deepak
# chage -l deepak | head -n2
Last password change : Nov 23, 2019
Password expires : Dec 23, 2019
passwd command
We have another tool passwd command in Linux which most of us mostly use to change password of user. But passwd
command can do much more such as, check password status, reset password's failed login attempts, lock and unlock user and many more.
Check password status
You can also check password status of user with passwd
command. Here -S
will output a short information about the status of the password for a given account
# passwd -S deepak deepak PS 2019-08-31 0 99999 7 -1 (Password set, SHA512 crypt.)
You can also check last password change date of a user using "passwd -S
". Observe the third field of below output to check last password change date of the provided user above which is in synch with chage
command output from the same Linux machine.
# chage -l deepak | head -n 1
Last password change : Aug 31, 2019
In case the password is locked for user deepak
, the check password status output would be like below
# passwd -S deepak
deepak LK 2019-11-23 0 30 7 -1 (Password locked.)
Lastly I hope the steps from the article to check last password change date and password aging information of system and active directory user in Linux was helpful. So, let me know your suggestions and feedback using the comment section.