This tutorial focuses on using the passwd command to manage password aging in Solaris OS for any user.
If your question is one of the following, then this tutorial is for you:
- Chage command in Solaris
- How to change password expiry in Solaris
- How to change password expiry in Solaris 11
- Solaris equivalent for chage -d
- How to change password warn days in Solaris
- How to turn off password aging for a user in Solaris
Table of Contents
What is Password Aging?
Password aging is a mechanism you can use to force users to periodically change their passwords.
- Force a user to choose a new password the next time the user logs in.
- Specify a maximum number of days that a password can be used before it has to be changed.
- Specify a minimum number of days that a password has to be in existence before it can be changed.
- Specify that a warning message be displayed whenever a user logs in a specified number of days before the user’s password time limit is reached.
- Specify a maximum number of days that an account can be inactive. If that number of days pass without the user logging in to the account, the user’s password will be locked.
- Specify an absolute date after which a user’s password cannot be used, thus denying the user the ability to log on to the system.
These password aging parameters are applied on user-by-user basis. You can have different password aging requirements for different users. (You can also set general default password aging parameters in /etc/default/passwd file. Check the tutorial here.)
Forcing Users to Change Passwords
There are two ways to force a user to change passwords the next time the user logs in:
- Force change keeping password aging rules in effect
passwd -f username- Force change and turn off password aging rules
passwd -x 0 usernameSetting a Password Age Limit
The -max argument to the passwd command sets an age limit for the current password
passwd -x max username- max is one of the following values:
- Greater than zero. Any number greater than zero sets the number of days before the password must be changed.
- Zero (0). A value of zero (0) forces the user to change passwords the next time the user logs in, and it then turns off password aging.
- Minus one (-1). A value of minus one (-1) turns off password aging. In other words, entering passwd -x -1 username cancels any previous password aging applied to that user.
For example, to force the user ‘baba’ to change passwords every 45 days, you would type the command:
passwd -x 45 babaSetting Minimum Password Life
The min argument to the passwd command specifies the number of days that must pass before a user can change passwords.
passwd -x max -n min usernameWhere:
- max is the maximum number of days a password is valid as described in the section above
- min is the minimum number of days that must pass before the password can be changed.
For example, to force the user ‘baba’ to change passwords every 45 days, and prevent him from changing it for the first 7 days you would type the command:
passwd -x 45 -n 7 babaEstablishing a Warning Period
The warn argument to the passwd command specifies the number of days before a password reaches its age limit that users will start to seeing a Your password will expire in N days message (where N is the number of days) when they log in.
passwd -x max -w warn username- username is the login ID of the user.
- max is the maximum number of days a password is valid.
- warn is the number of days before the password reaches its age limit that the warning message will begin to be displayed.
For example, to force the user ‘baba’ to change passwords every 45 days, and display a warning message 5 days before the password reaches its age limit you would type the command:
passwd -x 45 -w 5 babaTurning Off Password Aging
There are two ways to turn off password aging for a given user:
- Turn off aging while allowing user to retain current password
passwd -x -1 username- Force user to change password at next login, and then turn off aging
passwd -x 0 usernameFor example, to force the user ‘baba’ to change passwords the next time he logs in and then turn off password aging you would type the command:
passwd -x 0 babaRead More:-
How to unlock a user account in Solaris 11
How to enforce password complexity in Solaris
Reference Links:-
- https://docs.oracle.com/cd/E19455-01/806-1387/a08paswd-18101/index.html
- https://docs.oracle.com/cd/E19455-01/806-1387/a08paswd-14193/index.html
- https://docs.oracle.com/cd/E19455-01/806-1387/6jam6929e/index.html
