Setting and enforcing password and account expiration

Something you never want is to have unused user accounts remain active. There have been incidents where an administrator set up user accounts for temporary usage, such as for a conference, and then just forgot about them after the accounts were no longer needed. Another example would be if your company were to hire contract workers whose contract expires on a specific date. Allowing those accounts to remain active and accessible after the temporary employees leave the company would be a huge security problem. In cases like these, you want a way to ensure that temporary user accounts aren't forgotten about when they're no longer needed. If your employer subscribes to the conventional wisdom that users should change their passwords on a regular basis, then you'll also want to ensure that it gets done.

Password expiration data and account expiration data are two different things. They can be set either separately or together. When someone's password expires, he or she can change it, and everything will be all good. If somebody's account expires, only someone with the proper admin privileges can unlock it.

To get started, take a look at the expiry data for your own account. (Note that you won't need sudo privileges to look at your own data, but you will still need to specify your own username.)

donnie@packt:~$ chage -l donnie
[sudo] password for donnie:
Last password change : Oct 03, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
donnie@packt:~$

You can see here that no expiration data have been set. Everything here is set according to the out-of-box system default values. Other than the obvious items, here's a breakdown of what you see:

• Password inactive: If this were set to a positive number, I would have that many days to change an expired password before the system would lock out my account.
• Minimum number of days between password change: Because this is set to 0, I can change my password as often as I like. If it were set to a positive number, I would have to wait that number of days after changing my password before I could change it again.
• Maximum number of days between password change: This is set to the default value of 99999, meaning that my password will never expire.
• Number of days warning before password expires: The default value is 7, but that's rather meaningless when the password is set to never expire.

With the chage utility, you can either set password and account expiration data for other users or you use the -l option to view expiration data. Any unprivileged user can use chage -l without sudo to view his or her own data. To either set data or view someone else's data, you need sudo. We'll take a closer look at chage a bit later.

Before we look at how to change expiration data, let's first look at where the default settings are stored. We'll first look at the /etc/login.defs file. The three relevant lines are:

PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7

You can edit these values to fit your organization's needs. For example, changing PASS_MAX_DAYS to a value of 30 would cause all new user passwords from that point on to have a 30 day expiration data. (By the way, setting the default password expiry data in login.defs works for both Red Hat or CentOS and Debian/Ubuntu.)