Asking about chage command

bucminhdo · April 20, 2021, 8:33pm

Hi Guys,

I intentionally created a user like this:

user name = test

user passwd = abc

For the purpose I want to see the notice quickly from chage command, how does it look? And I set the parameters for the password as follows

useradd test
passwd test -> then provide "abc"
chage -M 1 -W 1 -I 1 test

Concern 1) If that's the way it work. When I run the above command, the user test will receive the notification immediately (or within 1 day) from the system. But I don't see any notice from test User as well as root User

Concern 2) Suppose I set the value of -W is 10

-> So 10 days prior to the expiration of , the system will notify the user account with the content required to change the password.

-> What I wonder here is the notification action is only notified once time (10 days before)? Or in those 10 days, every day the system will notify the test user?

If this is not the case, how can I set the system will perform the following 2 actions

Notify to the test User 10 days prior from the expiration day of
Within these 10 days, every day the system will notify User test

Concern 3) Suppose that System sends an announcement (I don't know what it's like though). Can I change the content of the notice from -W?

For Example: WARNING. YOU NEED TO CHANGE YOUR PASSWD RIGHT NOW!

Regards!

drysdalk · April 20, 2021, 9:27pm

Hello,

Taking each of your points in turn:

That is essentially how it works, yes. By way of testing, I re-set a user's password as root with the command passwd <username>. I was then able to see in the output of chage --list <username> that their last password change date had changed to today. I then ran chage -M1 <username>, and when logging in as that user, I got the "Warning: your password will expire in 1 day" message.
The user will receive a warning every time they log in, within the warning period. So if the warning period was 10 days, every time they log in within that 10 days prior to their password expiring, they will receive the warning message.
The actual text of the warning message and the password reset dialogue is hard-coded, and cannot be changed.

On a test CentOS 7 system, the expiry warning always takes the form

Warning: your password will expire in 1 day

and when the password has expired, the user is greeted with

WARNING: Your password has expired.
You must change your password now and login again!

followed by the output of the passwd command, which is then run interactively to change their password as usual.

I think the reason you're not seeing the password warning is the fact that you're setting the warning period to 1 day. Set it to something larger than 1 day, and you should find it works normally. The warning period must always be greater than the actual expiry period, or else it will never actually be able to take effect.

Hope this helps !

bucminhdo · April 20, 2021, 11:02pm

Hi,

By the way, when I use command useradd to create a user

I have not created a password for it. But it seems that useradd is still setting the password to LOCK

[root@vps ~]# useradd testnopass
[root@vps ~]# passwd --status testnopass
testnopass LK 2021-04-19 0 99999 7 -1 (Password locked.)
[root@vps ~]#

So is there any way to know if the user has set the password or not?

Thank you my savior

drysdalk · April 20, 2021, 11:12pm

Hi,

Unless you first set a newly-created account's password yourself, the user has no way to set the password, since they cannot provide their current password when prompted to do so by the passwd command. Even if you set them up with SSH public key-based authentication or some other non-password-based authentication mechanism, whilst they will be able to log in, passwd will still ask them for their current password if they try to use it, and since there isn't one, they'll never be able to change their password.

You could theoretically unlock their account by doing passwd -fu <username> (you need to specify -f to force the operation as well as -u to unlock, since passwd will regard this as A Bad Idea and otherwise refuse to do it). But if you do, you're leaving them with a blank password, and anyone who knew their username would just be able to instantly log in with that blank password, and hijack the account.

So generally speaking, you always have to set a user's password first. After that (so long as they know the password, of course), they can change it themselves whenever they want to whatever they like, or at least as often and to whatever form of password your site policies permit.

Lastly, the appropriate field of passwd -S will always show the date of the last password change for any account that has ever had its password changed, but you'll not be able to tell if that was done by the user, or by root.

Hope this helps !

bucminhdo · April 21, 2021, 8:23pm

Hi Sir,

Can you help me to explain what is the purpose of IDLE in who command

[root@vps ~]# who -H -u
NAME     LINE         TIME             IDLE          PID COMMENT
root     pts/0        2021-04-21 14:56   .          1221 (2.56.139.141)
root     pts/1        2021-04-21 14:56 00:09        1288 (2.56.139.141)
[root@vps ~]#

As well as the IDLE JCPU and PCPU in w command

[root@vps ~]# w
 16:11:54 up  1:15,  2 users,  load average: 0.01, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    xxx.xxx.xxx.xxx     14:56    2.00s  0.13s  0.01s w
root     pts/1    xxx.xxx.xxx.xxx     14:56   10:24   0.29s  0.03s nano /etc/passwd
[root@vps ~]#

drysdalk · April 21, 2021, 8:36pm

Hi,

I'm sure we can help you with this, but since it's a new question and is un-related to your original one, would you mind creating a new thread for it, please ? We generally like to keep one thread to one topic, and since your original question was about chage and it has now been answered, if you could open a new thread for your new question, that would be great. Thanks !