Linux – Turn off password expiration after user changes password (Linux)


One of my e-mail servers uses unix system accounts for user login.
Because I didn't set up any complex password policies (our users, including management staff, don't like complicated passwords), one of the accounts, that had a dictionary 6 letter pasword, was hacked and a few thousand spams were sent. So, naturally, our IP ended up in 3 RBLs.
After talking with the management, we decided that it was time to increase password complexity requirements. (minimum 8 characters, upper case, lower case, numbers, etc)

Now, here is the problem. How to make sure that all our users really change the password without having to check the logs, chage command output, etc?
The best solution I could think of, was to set a 10 day password expiration for all users and then send a mass email to everyone, telling them that if they don't change their password, after 10 days they won't be able to login.

So I started doing tests, to see if this was a viable solution and I encountered a problem that I should have foreseen:
Even though I set the password expiration to 10 days (chage -M 10 user), after changing the password, the expiration date remained the same, instead of returning to "never".

Is there some way of turning off password expiration after the user has changed it's password? (Users can change their password via the webmail interface, using a script based on chpasswd command).

Best Answer

I would try to combine chage -M and -d options.


Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current day, the user will be required to change his/her password before being able to use his/her account.


Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format YYYY-MM-DD.

So given these options, decide how often you want your passwords to expire. Obviously you don't want them to expire every 10 days, so -M option should be set to a higher value.

To make your users change their passwords in next 10 days, set the -d (LAST_DAY) option to the value so that LAST_DAY + MAX_DAYS == TODAY + 10 DAYS.

This trick will allow you to make the password expiration date approach faster. Once the password is changed, next expiration date will be set based on the value specified with the -M option.