Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
Physics
Chemistry
Biology
Mathematics
English
Economics
Psychology
Social Studies
Fashion Studies
Legal Studies
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
How to Force Users to Change Password at Next Login in Linux?
Enforcing password policies is an indispensable security measure to safeguard your Linux system against unauthorized access in the realm of cybersecurity. In Linux, requiring users to change their passwords frequently is an effective way to improve your system's security.
Ensuring the security of a Linux system is crucial for system administrators, and one effective way to achieve this is by implementing security measures that mandate users to change their passwords regularly. This article aims to provide guidance on how to enforce password changes during the next login for users on a Linux system.
This article will present two methods that can be utilized to compel users to modify their passwords during their next login to Linux. By employing these methods, you can guarantee that your system's users always use secure passwords, decreasing the possibility of security breaches.
There are two methods to force users to change their passwords at the next login in Linux −
Method 1: Using the Passwd Command
Step 1 − Open the terminal and log in as the root user or use sudo to gain root privileges.
To use the passwd command to expire a user's password, you need to have root privileges. This can be achieved by logging in as the root user or using the sudo command to gain temporary root privileges.
Step 2 − Type the following command −
passwd --expire username
The passwd command in Linux is a tool that allows users to change their account's password. However, the "--expire" option can be used to force the user to change their password upon next login. To use this option, replace "username" with the name of the user whose password you want to expire.
For example, let's say we want to expire the password for the user "robin". We would use the following command −
Example
passwd --expire robin
This command will set the password expiry time for the user "robin" to 0, which means the password has already expired and the user will be prompted to change their password at the next login.
Step 3 − When the user tries to log in again, they will be prompted to enter a new password.
Once the user "robin" tries to log in again, they will be prompted to enter a new password. The password can be any combination of letters, numbers, and special characters, as long as it meets the password complexity requirements set by the system administrator.
Output
[root@localhost ~]# passwd --expire robin passwd: password expiry information changed. [root@localhost ~]# su - robin Changing password for user robin. New password: Retype new password: passwd: all authentication tokens updated successfully. [robin@localhost ~]$ In the above example, we first logged in as the root user, then used the "passwd --expire robin" command to expire the password for the user "robin". When "robin" tried to log in again, he was prompted to enter a new password. The output shows that the password was successfully changed.
It's important to note that expiring a user's password is a temporary measure and should be followed up with regular password changes to ensure the security of the user's account.
Method 2: Using the Chage Command
The chage command is used to modify the password expiry information for a user account. This command allows the administrator to specify when the user's password will expire and force a password change at the next login. Here's how it works:
Step 1 − Open the terminal and log in as the root user or use sudo to gain root privileges.
Before you can use the chage command to modify a user's password expiry information, you need to be logged in as the root user or have root privileges. This can be achieved by opening a terminal and using the su or sudo command.
Step 2 − Use the chage command to modify the password expiry information for the user account.
To modify the password expiry information for a user account and enforce immediate password change at their next login, the chage command is utilized. This command allows the administrator to set the user's password to expire immediately, hence, prompting them to change it at their next login. Here is an example command to achieve this.
Example
chage --lastday 0 username
Output
[root@localhost ~]# chage --lastday 0 jane Changing the last password change time for jane New expiration date is Mar 05, 2023
To modify the password expiry information for a specific user account using the chage command, you need to replace "username" with the actual name of the user whose password you want to expire. When you use the chage command to change a user's password expiration, you can add an option called "--lastday 0". This option makes the user's password expire right away, which means they'll need to change it the next time they log in. You also need to tell the command which user's account to modify by replacing "username" with the user's name.
For example, if I want to expire the password for the user "jane", I would use the command −
Example
chage --lastday 0 jane
Output
[root@localhost ~]# chage --lastday 0 jane
Changing the aging information for jane
Enter the new value, or press ENTER for the default
Minimum Password Age [0]:
Maximum Password Age [99999]:
Last Password Change (YYYY-MM-DD) [2022-10-15]:
Expiration Date (YYYY-MM-DD) [2022-10-15]: 0
Password inactive after expiration (days) [99999]:
Account expires (YYYY-MM-DD) [never]:
Maximum number of days between password change [99999]:
Number of days of warning before password expires [7]:
The execution of this command sets the expiration of the password information for the user "jane" to occur immediately. As a result, the next time Jane attempts to log in, she will be required to change her password.
Step 3 − Verify that the password expiry information has been modified.
It is recommended to verify that the password expiry information has been updated correctly after executing the chage command. For that run the following command −
Example
chage -l username
Output
$ chage -l jane Last password change : Feb 28, 2023 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
Replace "username" with the name of the user whose password you changed. This command shows you when the user last changed their password, when they need to change it next, and other important information about their password.
For example, if I want to check the password expiry information for the user "jane", I would use the command −
Example
chage -l jane
Output
Last password change : Feb 28, 2023 Password expires : Mar 28, 2023 Password inactive : never Account expires : never Minimum number of days between password : 0 Maximum number of days between password : 30 Number of days of warning before password expires : 7
This command would display the current password expiry information for the user "jane".
Step 4 − Wait for the user to log in and change their password.
After making changes to the password expiry information of a user account using the chage command, you should wait for the user to log in and reset their password. At their next login attempt, they will be prompted to create a new password. Once the user enters their new password, the system will automatically update the password expiry information to reflect the recent password change. After that, the user can continue using their account as usual.
Conclusion
Forcing users to change their passwords at their next login is an essential security measure to protect sensitive information on a Linux system. In this article, we explored two methods to achieve this. The first method involved using the passwd command with the -e option to expire the user's password, while the second method used the chage command to modify password aging policies for the user or all users on the system. Both methods are effective in forcing users to change their passwords, but the chage command is more suitable for changing the password aging policy for multiple users at once. Administrators should use these methods regularly to ensure that users create strong and secure passwords and protect their Linux systems from unauthorized access.
848 Views
