All Posts

How to setup password aging in Linux

A short guide on how to set up password aging on your Linux server.

Sep 28th, 2020 • 1 min read

Ideally we always advocate setting up and using SSH keys to authorise users on your servers but we know that's not always possible. So to make using passwords safer, you can configure password aging, here's how.

Password aging works by defining on your server how old a users password can be. When the users password gets too old, the server will force the user to change their password on the next login. The benefits for this are obvious, having a password that changes regularly will reduce the risk of someone obtaining a copy of an active servers password and being able to login.

Configuring Password Aging

To enable and configure password aging, logon to your server and open, with root privileges, /etc/login.defs. I've used nano as my editor for this but you can swap out nano for your preferred editor.

sudo nano /etc/login.defs

Once open scroll until you find the section for "Password aging controls:".

#
# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   91
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

The config file provides a handy explanation for what each of the config values mean and do. The values we have set in the example above will force our users to change their password every 3 months with a warning a week before the expiry is due.

Once you've set your desired values simply save and close the file CTRL + X, press Y to confirm you want to save and then hit Enter to confirm the file to write /etc/login.defs.

And that's it. Password aging is now configured on your server!



Ready to secure your servers?
Get started for free today.

Copyright © 2020 ServerAuth.com, All Rights Reserved. | Terms of Service | Privacy Policy