≡ Menu

How to set defaut password expiry for all new users?

Linux provides a way to configure options like the default password expiration date for all new users. Every time a new user is added, these defaults will apply to the new user.

In Linux, there is a file called /etc/login.defs. This file contains several options that are very useful for a system administrator.

The three options that control password expiry are as follows:

PASS_MAX_DAYS (number) – The maximum number of days an existing password may be used to login. After these many days, a password change is forced.
PASS_MIN_DAYS (number) – The minimum number of days a password should be used. A password change before these many days is not allowed.
PASS_WARN_AGE (number) – The number of days for which a warning is given to a user before which the password expires. This is a grace period for the password change.

Note that these options are only used at the time of account creation. Any changes to these settings won’t affect existing accounts.

These three options should be specified in the following file:

/etc/login.defs

To check your current defaults, use the following command:

[root@server ~]# cat /etc/login.defs | grep -i pass_
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
PASS_MAX_DAYS   60
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7
[root@server ~]#

So a password can be used for a maximum of 60 days on my VPS.

There are several other options that login.defs provides. To see them all, use its man page:

man login.defs

Comments on this entry are closed.