Table of Contents
In this article I will cover below topics:
- chage command examples
- check last password change date of system and Active Directory User
- check password status of user
- overview on
/etc/shadowfile format and field
- check password expiration
chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change their password. It uses
/etc/shadow to get user’s password related details such as to check last password change date, password expiry and aging related information.
Check last password change date
For system user
chage command reads last password change date from file
/etc/shadow. The date of last password change is stored in 3rd field in file
To view account aging information for user
# chage -l deepak Last password change : Nov 09, 2019 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Understanding shadow file format and fields.
The information is stored not exactly as date+time but as number of days since Jan 1, 1970. Example given below.
test::16681:0:99999:7::19691002: ^ |---------- Here
We have 9 fields in /etc/shadow. The meanings of each field in the order they are present:
- sp_namp – pointer to null-terminated user name
- sp_pwdp – pointer to null-terminated password
- sp_lstchg – days since Jan 1, 1970 password was last changed
- sp_min – days before which password may not be changed
- sp_max – days after which password must be changed
- sp_warn – days before password is to expire that user is warned of pending password expiration
- sp_inact – days after password expires that account is considered inactive and disabled
- sp_expire – days since Jan 1, 1970 when account will be disabled
- sp_flag – reserved for future use
As you see the fist section can be used to check last password change date of user
# chage -l deepak | head -n 1 Last password change : Nov 09, 2019
But the downside here is that root user can also change last password change date using “
-d“. Here I change user
deepak's last password change date to 23rd Nov 2019
# chage -d 2019-11-23 deepak
/var/log/*files to check the password change history of a user. You can search for strings such as “
passwd” or related match depending upon your distribution to get password change history of a user. Anyhow in production environment normal user will not have privilege to change last password change date.
Next check last password change date for user
# chage -l deepak | head -1 Last password change : Nov 23, 2019
For Active Directory User
But what if your Linux system is connected to Windows Active Directory, so to check last password change date of AD user you will need access to the Windows Active Directory node. I am not aware of any tool which can show last password change related details of an Active Directory user on Linux.
Please do let me know via comment section if you are familiar with any tool. On Windows AD you can use “
net user” using powershell to check when password expires for AD user.
net user USERNAME /domain
I have an AD user
amit on my RHEL 7 Linux client which is connected to Windows Active Directory
# id golinuxcloud.com\\amit uid=1407601118(amit) gid=1407600513(domain users) groups=1407600513(domain users)
For example to check last password change date of Active Directory user
amit, from the powershell CLI of Windows Server 2012
PS C:\Users\Administrator> net user amit /domain User name amit Full Name admit Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 11/24/2019 12:20:58 PM Password expires 1/5/2020 12:20:58 PM Password changeable 11/25/2019 12:20:58 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users The command completed successfully.
Check password expiration in Linux
chage command you can also check password expiration date of a user in Linux, and of course change it. Now to check password expiration date of user
# chage -l deepak | head -n2 Last password change : Nov 23, 2019 Password expires : never
So now the password is set to “
never expire” for
deepak. To change password expiration date of user
deepak we will use “
-M we wet the maximum number of days during which a password is valid. So here we set password expiration after 30 days
# chage -M 30 deepak
Now check password expiration date of
# chage -l deepak | head -n2 Last password change : Nov 23, 2019 Password expires : Dec 23, 2019
We have another tool passwd command in Linux which most of us mostly use to change password of user. But
passwd command can do much more such as, check password status, reset password’s failed login attempts, lock and unlock user and many more.
Check password status
You can also check password status of user with
passwd command. Here
-S will output a short information about the status of the password for a given account
# passwd -S deepak deepak PS 2019-08-31 0 99999 7 -1 (Password set, SHA512 crypt.)
You can also check last password change date of a user using “
passwd -S“. Observe the third field of below output to check last password change date of the provided user above which is in synch with
chage command output from the same Linux machine.
# chage -l deepak | head -n 1 Last password change : Aug 31, 2019
In case the password is locked for user
deepak, the check password status output would be like below
# passwd -S deepak deepak LK 2019-11-23 0 30 7 -1 (Password locked.)
Lastly I hope the steps from the article to check last password change date and password aging information of system and active directory user in Linux was helpful. So, let me know your suggestions and feedback using the comment section.