When you need to ensure that a user (such as a newly created user, a user whose password has been compromised, or a user required by a security audit) changes their password immediately upon their next login, Linux provides direct built-in commands to accomplish this task. This is not only a routine operation in system administration but also an important measure to improve account security.
Core Principles and Commands: Using `chage` and `passwd`
Linux user password expiration and policy information are stored in the `/etc/shadow` file. Forcing a user to change their password upon their next login essentially involves modifying the relevant fields in this file for that user. Two of the most commonly used and standard commands can accomplish this: `chage` and `passwd`.
Method 1: Using the `chage` command (Recommended)
`chage` is short for "change age" and is a tool specifically designed to modify user password expiration information. Its `-d` or `--lastday` parameter is crucial. Set user alice's password to be changed on their next login:
sudo chage -d 0 aliceHere, `-d 0` sets the "last password change date" to 0. In the logic of `chage`, 0 has a special meaning: it represents "January 1, 1970" (the beginning of the UNIX epoch), or more practically, it represents a past, invalid date. Once the system detects that a user's last password change date is a very distant past date (or 0), it will force the user to change their password immediately upon their next successful login. After executing the command, you can verify the setting using `chage -l`.
sudo chage -l aliceIn the output, you will see information like `Last password change: Jan 01, 1970` and `Password expires: never`. This contradictory combination (the password was changed in 1970, but it never expires) is the "switch" that triggers the forced password change.
Method 2: Using the `passwd` command
The `passwd` command is better known for changing passwords, but it has a `-e` or `--expire` option, which has the same effect as `chage -d 0`. Force user bob to change their password on their next login:
sudo passwd -e bobThis command also achieves this by setting the "last password modification date" field for the corresponding user in the `/etc/shadow` file to 0. It is completely equivalent to `chage -d 0` at the underlying level; you can choose to use it based on your memory habits.
Settings Take Effect and User Experience
After using either of the above commands, the settings will take effect immediately. Let's see what happens from user `alice's` perspective:
1. User Login: `alice` logs into the system via SSH or the console using her current (old) password.
2. System Prompt: After successful login authentication, the system will not directly enter the shell, but will immediately display a message for forcing a password change. For SSH login, the typical message is:
WARNING: Your password has expired.
You must change your password now and log in again!
Changing password for alice.
(current) UNIX password:
3. Forced Password Change Process:
The system first prompts the user to enter their current password (`(current) UNIX password:`) for secondary authentication.
After successful authentication, the system prompts for a new password (`Enter new UNIX password:`).
The system then prompts the user to enter the new password again (`Retype new UNIX password:`) for confirmation.
4. Completion and Re-login: After a successful password change, the system usually displays `passwd: password updated successfully` and then automatically disconnects the current connection. The user `alice` must log in again using the newly set password to access the system normally.
Important Note: This process only applies to users who log in using password authentication. If the user has configured SSH key authentication and disabled password login, the system cannot trigger the forced password change process during key authentication. For these types of users, administrators may need to temporarily enable password login or notify them through other means.
Advanced Management and Batch Operations
1. Setting Password Policies in Conjunction
Simply forcing a password change is sometimes insufficient; you often want users to set a strong new password. You can utilize other parameters of `chage` to set future password policies while forcing a password change.
Force user charlie to change their password next time, and set the new password's validity period to 90 days, with a 7-day advance warning.
sudo chage -d 0 -M 90 -W 7 charlie
* `-M 90`: Password validity period is up to 90 days.
* `-W 7`: Send warning messages to users 7 days before password expiration.2. Batch Operations on Users
If you need to uniformly configure a group of users (e.g., a batch of newly hired employee accounts), you can combine this with shell loops.
Assuming you have a username list file `new_users.txt`
For user in $(cat new_users.txt); do
sudo chage -d 0 "$user"
echo "User $user's password has been set to change upon next login."
done3. How to "Cancel" Forced Change?
If you accidentally changed the password, or if a user reports problems before completing the change, you need to undo the "forced change" status. This is done by using `chage` to set the "last modified date" to today.
To set the last modified date of user alice's password to today, removing the forced status:
sudo chage -d $(date +%Y-%m-%d) aliceOr, more simply, manually change the user's password once using the `passwd` command (as an administrator). This operation will automatically update the last modified date to the current date.
sudo passwd aliceEnter the new password twice as prompted.
Underlying Mechanism: Understanding the `/etc/shadow` File
All modifications made by the above commands are ultimately reflected in the corresponding lines of the `/etc/shadow` file. Understanding its format will give you a more thorough understanding of the underlying principles.
alice:$y$j9T$FReB...3hG0:0:99999:7:::The fields are separated by colons. The third field (`0` in this example) is the "last password modification date," which represents the number of days from January 1, 1970, to the last password modification date. `0` represents day 0.
Summary and Best Practices
Preferred Commands: For a single user, use `sudo chage -d 0 <username>` or `sudo passwd -e <username>`. The `chage` command is more specialized and is recommended.
Essential Process: This operation sets a trigger for a past password change date, rather than making the password "expire immediately." Users still need to log in with their old password to trigger the change process.
Applicable Scenarios: Initial account delivery for new users; suspicion or confirmation that a user's password may have been compromised; periodic security policy requirements (such as mandatory password changes for privileged accounts every quarter); after a user forgets their password and the administrator resets it, the user should be forced to immediately set a new password they know upon login.
Communication and Recording: Before and after performing this operation, it is recommended to notify the user via email or other means, explaining the reason for the operation and the security requirements. Simultaneously, record this type of administrative operation in the audit log.
Combined with Other Strategies: Mandatory password changes should be part of the overall account security policy, used in conjunction with setting password complexity requirements (via the `/etc/pam.d/passwd` or `pam_pwquality` modules), enabling two-factor authentication, and other measures to build a more robust defense.
By mastering this simple yet crucial command, you can effectively manage the user password lifecycle, respond promptly to security incidents, and thus improve the overall account security management level of your Linux system.
