Password doesn't expire after expiry date

sudh · 01-03-2012, 05:26 AM

Hi,
I modified the expiry date of the password for a user in order to simulate an expiry and forced password reset scenario. However, the distro fails to recognise the expiry and continues to accept the expired password for almost a day after the expiry date.

Steps followed:-
1) Set the expiry date to a day ahead using the chage -M command for the user 'user'

2) O/p from the chage -l command is as below:-
# chage -l user
Last password change: Jan 03, 2012
Password expires : Jan 04, 2012
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 1
Number of days of warning before password expires: 0

3) Set the date as Jan 04, 2012 00:01 hrs using the date -s option

4) Tried to login using the old password. Was able to login successfully without being asked to reset my password.

Is the behaviour in step 4 expected? Shouldn't it force me to reset my password before I can proceed?

Thanks in advance!!

kbscores · 01-03-2012, 10:23 AM

Code:

chage -d 0 <username>

Will force password reset through expiration.

Also for expiration check to verify expiration was set correctly there are a few places it can be set.

/etc/login.defs
/etc/default/useradd

Also -- for setting a specific user's expiration I recommend just using:

Code:

passwd -x 56 <username>

That will set expiration to 56 for specified user.

Then check /etc/shadow to verify expiration is set correctly for test user. (4th from the end)

sudh · 01-03-2012, 10:23 PM

Thank you for the reply.

I tried using the passwd -x command but it seems to set the expiry date relative to the date of the last password change. Is there any other command apart from the chage -M, that can be used to set the expiry date relative to the current date?

Also, the passwd -x still allows me to login with my old password as mentioned earlier. Any idea on why that might be happening?

kbscores · 01-04-2012, 03:17 PM

chage -d sets relative to Jan 01 1970 -- so with some math you could use it. I also know you can use a specific day with it - Here is what man has:

-d, --lastday LAST_DAY
Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area).

-E, --expiredate EXPIRE_DATE
Set the date or number of days since January 1, 1970 on which the user's account will no longer be accessible. The date may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area). A user whose account is locked must contact the system administrator before being able to use the system again.