리눅스에서 사용자 비밀번호 만료일 설정 해보기

리눅스에서 사용자 비밀번호 만료일 설정 해보기


일괄적으로 만료일을 지정해줄 수 있고

개별 사용자에게도 지정해줄 수 있습니다.

/etc/login.defs   파일을 수정  - 일괄적용

chage 사용자명  - 개별적용



[root@vash ~]# cat /etc/login.defs

저 파일에서

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR      Maildir
MAIL_DIR        /var/spool/mail  이거는 메일 디렉토리
#MAIL_FILE      .mail

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999 사용 최대 기간(죽을 때 까지 사용하라는 내용 같구만용)
PASS_MIN_DAYS   0  사용 최소 기간
PASS_MIN_LEN    5 계정 잠그기 까지 비활성화 기간
PASS_WARN_AGE   7 경고메시지 날리는 기간
이 부분을 적당히 수정해주면  새로 생성되는 사용자의 비밀번호 만료일을 일괄적으로 설정할 수 있겠네요...

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                   500
UID_MAX                 60000

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                   500
GID_MAX                 60000

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD    /usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME     yes

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use MD5 or DES to encrypt password? Red Hat use MD5 by default.
MD5_CRYPT_ENAB yes

[root@vash ~]#

[root@vash ~]# chang stest1
-bash: chang: command not found
[root@vash ~]# chage stest1
stest1의 사용기한 정보를 바꿉니다
새로운 값을 넣거나, 기본값을 원하시면 엔터를 치세요

        열쇠글의 최소 유효 기간 [0]:
[root@vash ~]# unset LANG
[root@vash ~]# chage stest1
Changing the aging information for stest1
Enter the new value, or press ENTER for the default

        Minimum Password Age [0]:
        Maximum Password Age [99999]:
        Last Password Change (YYYY-MM-DD) [2010-03-04]:
        Password Expiration Warning [7]:
        Password Inactive [-1]:
        Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
[root@vash ~]#
[root@vash ~]#

이런식으로 문답식으로 개별 사용자에 대해서 설정이 가능합니다.





[root@vash ~]# chage --help
Usage: chage [options] user

Options:
  -d, --lastday LAST_DAY        set last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

[root@vash ~]# man chage
CHAGE(1)                         User Commands                        CHAGE(1)

NAME
       chage - change user password expiry information

SYNOPSIS
       chage [options] user

DESCRIPTION
       The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to
       determine when a user must change his/her password.

OPTIONS
       The options which apply to the chage command are:

       -d, --lastday LAST_DAY
          Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format YYYY-MM-DD (or the
          format more commonly used in your area).

       -E, --expiredate EXPIRE_DATE
          Set the date or number of days since January 1, 1970 on which the user's account will no longer be accessible. The date may also be expressed in the
          format YYYY-MM-DD (or the format more commonly used in your area). A user whose account is locked must contact the system administrator before being
          able to use the system again.

          Passing the number -1 as the EXPIRE_DATE will remove an account expiration date.

       -h, --help
          Display help message and exit.

       -I, --inactive INACTIVE
          Set the number of days of inactivity after a password has expired before the account is locked. The INACTIVE option is the number of days of
          inactivity. A user whose account is locked must contact the system administrator before being able to use the system again.

          Passing the number -1 as the INACTIVE will remove an account's inactivity.

       -l, --list
          Show account aging information.

       -m, --mindays MIN_DAYS
          Set the minimum number of days between password changes to MIN_DAYS. A value of zero for this field indicates that the user may change his/her password
          at any time.

       -M, --maxdays MAX_DAYS
          Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current day, the user will be required to
          change his/her password before being able to use his/her account. This occurrence can be planned for in advance by use of the -W option, which provides
          the user with advance warning.

          Passing the number -1 as MAX_DAYS will remove checking a password's validity.

       -W, --warndays WARN_DAYS
          Set the number of days of warning before a password change is required. The WARN_DAYS option is the number of days prior to the password expiring that
          a user will be warned his/her password is about to expire.

       If none of the options are selected, chage operates in an interactive fashion, prompting the user with the current values for all of the fields. Enter the
       new value to change the field, or leave the line blank to use the current value. The current value is displayed between a pair of [ ] marks.

NOTE
       The chage program requires a shadow password file to be available.

       The chage command is restricted to the root user, except for the -l option, which may be used by an unprivileged user to determine when his/her password
       or account is due to expire.

FILES
       /etc/passwd
          User account information.

       /etc/shadow
          Secure user account information.

EXIT VALUES
       The chage command exits with the following values:

       0  success

       1  permission denied

       2  invalid command syntax

       15 can't find the shadow password file

SEE ALSO
       passwd(5), shadow(5).

User Commands                     06/25/2006                          CHAGE(1)