1. Overview

As Linux users with password policies enabled, we may find ourselves wondering when our passwords are due to expire. This information is critical for security reasons, as it’s recommended to change passwords regularly.

In this tutorial, we’ll explore how to retrieve password expiration times in the shell. We’ll discuss basic commands and techniques to check the password expiration times for a given user and system.

2. Password Expiration Time of a Specific User

To retrieve the password expiry time, we can use the chage command. This command is used to change user password expiry information.

The -l option displays the current password expiry information for a particular user on our system. To retrieve the data, we simply supply the username:

$ chage -l username

Here, we can replace username with the name of the user we want to check:

$ chage -l john 
Last password change                                   : Jan 01, 2023
Password expires                                       : Apr 01, 2023
Password inactive                                      : never
Account expires                                        : never
Minimum number of days between password change         : 7
Maximum number of days between password change         : 90
Number of days of warning before password expires      : 14

In this example output, we can see that user john last changed their password on January 1st, 2023, and their password will expire on April 1st, 2023.

The minimum number of days between password changes is 7, meaning that the user cannot change their password more frequently than once a week. The maximum number of days between password changes is 90, which is the password expiry time set by the system policy. Finally, we can see that the user will receive a warning 14 days before their password expires.

3. Password Expiration Time of All Users

Sometimes, we may want to check the password expiration time for all users on a Linux system. This can be useful for security purposes, as well as for managing multiple user accounts.

One way we can check the password expiration date for all users is via a shell script. We iterate over all the users in the /etc/passwd file and run chage -l on them to retrieve the data.

Let’s create our shell script check-users-password-expiration-date.sh:

#!/bin/sh 
for user in $(cat /etc/passwd | cut -d: -f1) 
do 
  echo $user 
  chage -l $user | grep "Password expires" 
done | paste -d " " - - | sed 's/Password expires//g' 

In this case, we retrieve the password expiration time for all users on our system. To achieve this, the script reads in the /etc/passwd file for a list of all users and then loops through each one, printing their name and password expiration date via chage.

Next, the grep command filters out any line that doesn’t contain the phrase Password expires. Finally, we format the output using the paste and sed commands.

So, let’s make the shell script executable:

$ sudo chmod +x /opt/scripts/check-users-password-expiration-date.sh

Here, we use the chmod command to modify the permissions of this script. We add the execute permission to the file with the +x option.

At this point, we can run our script in the shell to see the password expiration time for all users:

$ sudo sh check-users-password-expiration-date.sh 
root          : never 
bin           : never 
daemon        : never 
john          : Apr 01, 2023 
stephen       : Mar 19, 2023 
michelle      : Oct 24, 2023 

As we can see above, the script outputs the username and password expiration date for all users.

4. Password Expiration Time for All Users Except System Users

Now, let’s modify the above script to exclude system users from the output and save it as check-users-password-expiration-date-2.sh:

#!/bin/sh 
for user in $(cut -d: -f1 /etc/passwd) 
do 
  if id -u $user > /dev/null 2>&1; then 
    if [ $(id -u $user) -ge 1000 ]; then 
      expires=$(chage -l $user | grep "Password expires" | awk -F: '{print $2}' | sed 's/,//g' | awk '{print $1,$2,$4}') 
      if [ ! -z "$expires" ] && [ "$expires" != "never" ]; then 
        echo "$user Password expires : $expires" 
      fi 
    fi 
  fi 
done

In this script, we use the cut command to retrieve only the user names (first colon-delimited field) from the /etc/passwd file. After that, we check if the user ID is greater than or equal to 1000 to avoid system users. For each user that isn’t a system user, we retrieve the account information using the chage command.

We then extract the password expiration date using the grep, awk, and sed commands to format our output in a month-day-year format. If the password has already expired or never expires, thus indicating a system user, we don’t display the output for that user.

Of course, let’s again make the script executable:

$ sudo chmod +x check-users-password-expiration-date-2.sh

Let’s now run the script file and see some example output:

$ sudo sh check-users-password-expiration-date-2.sh
john Password expires      : Apr 01, 2023
stephen Password expires   : Mar 19, 2023
michelle Password expires  : Oct 24, 2023

Here, we can see that the script has excluded the system users we saw before, as their password never expires. By using this script, we can quickly check the password expiration date for all regular users and ensure that their accounts remain secure.

5. Conclusion

In this article, we’ve explored several ways to check the password expiration time for users on a Linux system. By using a built-in tool like chage, we can easily extract this information from /etc/passwd.

Additionally, we’ve learned how to filter out system users and never-expiring passwords to make the output more readable and relevant. These scripts can be run periodically to ensure that users are updating their passwords on time and to identify any accounts that may be at risk due to weak or outdated passwords.