RHEL 5 /etc/shadow Expire setting question
 

Good day all,

In reviewing the shadow file for a server I've found something I do not have the answer for : what exactly does the expire setting mean in a shadow file?

Per RedHat here https://access.redhat.com/site/docum...ps-shadow.html

The last entry for a user is supposed to be how long an account has been expired. However, further down their page they show a date in the expire field and they explain it as a date in the future when an account will expire. Which is it?

My specific question is related to this entry :
This was pulled on 1/31/2013, pw last changed on 7/25/2012, meaning 190 days since it was changed.

username:hash:15546:0:90:14:90::

Would this account not have been locked out for 10 days? I.e. it expired after 90 days, was locked because of inactive after 90 days, and it's been 10 days since then. Should the 'expire' value not be 10?

Any help would be appreciated. Thanks!

Yes, that page is misleading - you can open a ticket to get it fixed if you like. According to 'man 5 shadow' your entry maps to:

Which indicates that the field you are interested in is a fixed date when the account will be disabled, not the number of days since it has expired. This field can be manipulated with the chage command, here's an example:
And we can confirm that 16104 is correct by calculating it via the date command:
.. off by one but you get the idea.

Huh, it's interesting that the man for it is right but the site is very obviously misleading. So for my example account, it would have been expired for 10 days (190 since changed - 90 for pw age - 90 for inactive = 10 days of disabled) but other than doing the math myself, there's no way to check for that is there?

Thank you very much for the help.