passwdcommand with e or --expire option.
In this tutorial, I will explore what passwd --expire command is and how to use it in Linux.
- What is
passwd --expireCommand - How to use
passwd --expireCommand - How to Check Password Expiry on Linux
- Other Methods to Set Expiry to the User’s Password
- How to Expire Password of Multiple Users in Linux
- How to Expire Password of All Users in Linux
- Conclusion
Note: It is not advisable to edit /etc/passwd, or /etc/shadow files without the required expertise, because if you make any syntax error then you may lose login or root privileges.
What is passwd ––expire Command
Before understanding the passwd --expire command, we must have an idea about the passwd command-line utility. The passwd command is used to change the password of any account; a normal user can change his/her password while the server administrator or super user can change any user’s password. Moreover, the passwd command can also be used to set the validity period of the password.
Like other commands, the passwd command also has many options to manage passwords. One of those options is expire option. The expire option immediately expires the password of any user and forces them to change their password on the next login.
Syntax:
The --expire can be replaced with -e option:
Let’s understand how to use passwd --expire command on Linux.
How to use passwd ––expire Command
To force any user to change his/her password on login passwd --expire command is used with the username of that particular account.
I am changing the [username] to my own username sami; replace it with the desired user account username.
Upon running this command, you will get a prompt that says the password expiry information changed for the user sami.
When the user logs in next time the system will force the user to change the password.
On setting the same old password you will get a prompt that the password is unchanged.
On setting the strong password the user can use the account.
On the display manager (graphical login interface), the user will also be prompted for the password change.
How to Check Password Expiry on Linux
By default, on Linux distributions, the user password expires after 99999 days and begins warning the user 7 days before expiration. To check it, execute the following command in the terminal.
You can also access this information through /etc/login.defs file.
Other Methods to Set Expiry to the User’s Password
There are a couple of other methods as well, that would help in forcing the user to change the password immediately.
i. Using chage Command
The chage command is much more useful for user management. It gives more account information compared to passwd command. It can also be used to set the immediate expiry of the user’s password. For example:
In the above command the --lastday option can also be signified with -d only.
The 0 shows the number of days, which means that the password change is required immediately after login.
For example, if you want to expire the password of user sami with chage tool, use the command mentioned below:
Now login and the user will be prompted to change the password immediately.
Note that after entering the old credentials the user will prompt for the password change.
ii. Modifying the /etc/shadow File
The shadow file contains the user passwords and can only be accessed by the root user. It can also be used to set the expiry of the user’s password. This method is for advanced administrators.
Access the file using:
Locate the user, in my case it is sami:
Well, it is hard to read, but the last four fields are of our concern. The following image dissects the line.
We need to modify the parameter number 3, which is the last password change date; simply make it 0. So, when the user (sami) next time logs in, he will prompt with a password change message.
How to Expire Password of Multiple Users in Linux
To set password expires for multiple users you have to go one by one, since using the passwd --expire does not apply to multiple users at a time.
sudo passwd --expire sam2
Or you can create a bash script and mention the usernames to apply the password expiration to multiple users.
for users in sam1 sam2
do
passwd --expire "$users"
done
echo "Password expiration has been applied to the mentioned users."
In the above Bash script is looping through the mentioned usernames sam1 and sam2 and applying the passwd --expire command to each user. Finally, it displays the message.
Save the script and then make the file executable, using:
Execute the script using
Replace the [script_name] with the original script file name.
How to Expire Password of All Users in Linux
As a system administrator, you may want to expire passwords of the all the users. To do that run the below-given script:
for all_users in $(getent passwd {1001..60000} | cut -d: -f1); do
passwd --expire "$all_users"
done
echo "Password expiration has been applied to all users."
The above script is looping through the /etc/passwd file and storing results in the all_users variable. The getent tool extracts the entries while {1001..60000} signifies the real user’s IDs in the /etc/passwd file which starts from 1001. The cut tool extracts the first entries from the output of the getent command delimited by colon (:).
After that passwd --expire command is applied to all the users. When the process is completed the echo command will execute with a message.
To execute the script first provide is necessary permissions to make it executable, using the below-given command:
To execute the file, use:
Ensure the Bash script file is in the current working directory and replace [script_name] with the original name of the script for example in my case it is myscript.sh the command will be sudo ./myscript.sh.
Conclusion
The passwd --expire command is used by system admins to set the password of any user to expire immediately. It is in most cases system admins usually do this for security reasons or to force any new user to change the default password. Password expiry can also be set using other methods like chage command or modifying the /etc/shadow file.
