How to force regular changes to Linux passwords

Password aging is a system mechanism that forces a password to expire after a certain length of time. This can cause some trouble for the user, but it ensures that the password is changed periodically and is a good security measure. By default, most Linux distributions do not have password aging, but it is very simple to open. By editing /etc/login.defs, you can specify a few parameters to set the default settings for password validation: PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 When setting the password aging time to 99999, it is actually equivalent to turning off password aging. A more sensible setting is generally 60 days & mdash; — mandatory change of password every 2 months. The PASS_MIN_DAYS parameter sets the minimum number of days required to change the password the next time the password is modified. The setting of PASS_WARN_AGE indicates how many days before the password expires, the user is notified to change the password (usually when the user just logs in to the system, they will receive a warning notification). You will also edit the /etc/default/useradd file to find the keywords INACTIVE and EXPIRE: INACTIVE=14 EXPIRE= This will indicate how long after the password expires, if the password has not changed, change the account to the invalid state. . In this case, this time is 14 days. The EXPIRE setting is used to set a clear time for all new users to expire (the format is “Year-Month-Date”). Obviously, these changes to the settings can only affect newly created users. To modify the existing user-specific settings, you need to use the chage tool. # chage -M 60 joe This command will set the PASS_MAX_DAYS of the user joe to 60 and modify the corresponding shadow file. You can use the chage -l option to list the current account aging, while using the -m option to set PASS_MIN_DAYS, -W to set PASS_WARN_AGE, and so on. The chage tool allows you to modify all password aging status for a specific account. Note that chage only works for accounts on the local system. If you are using an authentication system like LDAP, the tool will not work. If you are using LDAP as authentication and you plan to use chage, then even if you are only trying to list the timestamps of the user's password, you will find that the chage does not work at all. It's a good practice to develop a strategy that defines how long a password must be changed and then enforces it. After dismissing an employee, the password aging policy will ensure that the employee is unlikely to find that his password is still available after being dismissed for three months. Even if the system administrator ignores deleting his account, the account will be automatically locked due to the password ageing policy. Of course, this does not justify the failure to delete the employee's account in time, but this strategy does provide an extra layer of security, especially if it was often overlooked in the past.