In Linux, password aging is primarily managed through the /etc/shadow file and the chage (Change Age) command.
1. Where the data lives: /etc/shadow
Each line in the shadow file contains fields specifically for aging. If you run sudo grep 'joker' /etc/shadow, you'll see fields separated by colons:
joker:hash:last_changed:min:max:warn:inactive:expire:reserved
- Last Changed: The date of the last password change (measured in days since Jan 1, 1970).
- Minimum Age: Minimum days between password changes (0 means they can change it anytime).
- Maximum Age: How long the password is valid. After this, the user must change it.
- Warning: How many days before expiry the user gets a warning.
- Inactive: How many days after a password expires until the account is completely locked.
2. How to manage it: The chage command
While you could edit the shadow file manually, administrators use the chage command because it's safer and easier.
To view the current aging policy for joker:
sudo chage -l jokerThis lists the expiration dates and aging limits in a human-readable format.
To set specific limits:
If you want to force "joker" to change their password every 90 days, you would use:
sudo chage -M 90 joker3. Why use it?
Password aging is a security best practice in professional environments. It:
- Ensures compromised passwords don't remain useful forever.
- Forces users to rotate keys regularly.
- Allows administrators to set temporary accounts (using the Expire date) for contractors or guests.
In this lab, your password probably has no expiration set by default (look for 99999 in the shadow file, which basically means "forever"). Keep going with the lab to see how to further manage these accounts!
