Ideally we always advocate setting up and using SSH keys to authorise users on your servers but we know that's not always possible. So to make using passwords safer, you can configure password aging, here's how.
Password aging works by defining on your server how old a users password can be. When the users password gets too old, the server will force the user to change their password on the next login. The benefits for this are obvious, having a password that changes regularly will reduce the risk of someone obtaining a copy of an active servers password and being able to login.
Configuring Password Aging
To enable and configure password aging, logon to your server and open, with root privileges,
/etc/login.defs. I've used nano as my editor for this but you can swap out nano for your preferred editor.
sudo nano /etc/login.defs
Once open scroll until you find the section for "Password aging controls:".
# # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 91 PASS_MIN_DAYS 0 PASS_WARN_AGE 7
The config file provides a handy explanation for what each of the config values mean and do. The values we have set in the example above will force our users to change their password every 3 months with a warning a week before the expiry is due.
Once you've set your desired values simply save and close the file
CTRL + X, press
Y to confirm you want to save and then hit
Enter to confirm the file to write
And that's it. Password aging is now configured on your server!