Overview
The chage command allows administrators to manage the “aging” of user passwords and the validity period of user accounts. It provides detailed control over when a password expires, how long the grace period lasts after expiration, and the specific date an account should be disabled. This tool is essential for enforcing security policies, such as requiring periodic password changes, or for automatically suspending accounts for temporary staff on their contract end date.
Specifications (Arguments and Options)
Syntax
BASH
chage [options] [username]
Main Options
| Option | Description |
| -d [date] | Sets the last password change date to “YYYY-MM-DD” (or days since Jan 1, 1970). Setting this to 0 forces a password change on the next login. |
| -E [date] | Sets the date when the account itself will be disabled (expired). Format is “YYYY-MM-DD”. Use -1 to remove the expiration. |
| -I [days] | Sets the number of inactive days (grace period) after a password expires before the account is locked. |
| -l, –list | Displays the current aging information for the user. |
| -m [days] | Sets the minimum number of days required between password changes (prevents frequent changing). |
| -M [days] | Sets the maximum number of days a password is valid (expiration period). |
| -W [days] | Sets the number of days before the password expires to start displaying a warning message. |
Basic Usage
Checking Your Own Password Information
A currently logged-in user (e.g., “mori”) can check their own password expiration settings.
BASH
# Display my own information
chage -l mori
Example Output
Last password change : Jan 26, 2026
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Attempting to View Others’ Information (Standard User)
For security reasons, standard users are denied permission to view password aging information for other users, including the root account.
BASH
# Executed with standard user privileges
chage -l root
Example Output
chage: Permission denied.
Practical Commands
Setting a 90-Day Password Expiration
Using administrator (root) privileges, this command forces user mori to change their password every 90 days. It also sets up a warning message to appear 7 days before the password expires.
BASH
# Set max days to 90 and warning to 7 days
sudo chage -M 90 -W 7 mori
# Verify the setting
sudo chage -l mori | grep "Password expires"
Setting an Account Expiration Date
This is useful for contract employees or temporary project members. You can set a specific date (e.g., March 31, 2026) after which the user will no longer be able to log in. This applies regardless of whether their password is valid or not.
BASH
# Disable the account automatically after March 31, 2026
sudo chage -E 2026-03-31 mori
Forcing a Password Change on Next Login
By resetting the “Last password change” date to 0 (January 1, 1970), the system considers the password to be expired immediately. The user will be forced to set a new password the next time they log in.
BASH
# Force password change
sudo chage -d 0 mori
Important Notes
Restrictions for Standard Users
Only the root user (administrator) can write or modify settings using the chage command. Standard users are restricted to using the -l option to view their own account information.
Overlap with the passwd Command
The passwd command also offers expiration settings via options like passwd -x or passwd -w. However, chage allows for more detailed management, such as directly specifying the last change date. Both commands ultimately modify the /etc/shadow file.
Difference Between Expiration and Locking
The “Expiration” set by chage -E is an automatic invalidation based on a specific date. In contrast, “Locking” (done via usermod -L) is a manual action taken by an administrator to stop access immediately. Both result in the user being unable to log in, but they serve different administrative purposes.
Summary
The chage command is the primary tool for managing the “time axis” of user accounts in Linux. It is commonly used to enforce security hygiene via periodic password changes (-M) or to schedule account termination for departing staff (-E). If a user reports that they cannot log in, running chage -l to check the “Password expires” or “Account expires” dates is an excellent first step in troubleshooting.
