Linux systems implement password aging policies through the /etc/shadow file, which contains encrypted passwords and related information including expiration dates. The chage command is the proper tool for modifying these settings, rather than passwd.
First verify the current password aging configuration:
chage -l username
Sample output:
Last password change : Jan 01, 2023
Password expires : Apr 01, 2023
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
There are two primary methods to disable password expiration:
Method 1: Using chage Command
sudo chage -M 99999 username
Or more explicitly:
sudo chage -E -1 -m 0 -M -1 -I -1 -W -1 username
Where:
- -E -1 removes account expiration
- -m 0 sets minimum days between changes to 0
- -M -1 removes maximum password age
- -I -1 disables password inactivity
- -W -1 removes expiration warnings
Method 2: Direct Shadow File Modification
For advanced users (not recommended unless necessary):
sudo vipw -s
Then locate the user and change the fifth field (maximum days) to -1:
username:encryptedpass:18647:0:-1:7:::
Confirm the settings took effect:
sudo chage -l username | grep "Password expires"
Should return:
Password expires : never
To modify default settings for all new users, edit /etc/login.defs:
PASS_MAX_DAYS -1
PASS_MIN_DAYS 0
PASS_WARN_AGE -1
Note: This only affects newly created users.
While non-expiring passwords are convenient, consider these best practices:
- Implement SSH key authentication instead of passwords
- Use strong passwords (16+ characters, mixed character types)
- Enable two-factor authentication where possible
- Regularly audit account access
For service accounts, consider using:
sudo passwd -l username # locks password authentication
and configure SSH key access only.
When administering Linux servers, you'll occasionally need service accounts or privileged users with passwords that don't expire. While password rotation is good security practice, some use cases require permanent credentials.
First verify if password expiration is currently enabled:
chage -l username
# Or alternatively:
passwd -S usernameThis displays information like:
Last password change : Jan 01, 2023
Password expires : Apr 01, 2023
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7There are two reliable methods to prevent password expiration:
Method 1: Using chage command
sudo chage -M 99999 usernameThis sets the maximum password age to about 273 years, effectively making it non-expiring.
Method 2: Editing /etc/shadow directly (Advanced)
For granular control, modify these fields in /etc/shadow:
username:encryptedpass:18585:0:99999:7:::Where:
- 18585 = Last password change date (days since epoch)
- 0 = Minimum password age
- 99999 = Maximum password age
- 7 = Warning period
After making changes, confirm the settings took effect:
sudo chage -l username | grep "Password expires"Should return: Password expires : never
Before implementing non-expiring passwords:
- Restrict to service accounts only when possible
- Apply strict password complexity rules
- Monitor login attempts for these accounts
- Consider using SSH keys instead where applicable
If changes don't seem to take effect:
- Check for PAM modules enforcing expiration
- Verify no password policies in /etc/login.defs override your settings
- Ensure the user isn't in groups with conflicting policies