Mastering Linux Security and Hardening
上QQ阅读APP看书,第一时间看更新

Setting expiry data on a per-account basis with useradd and usermod

You might find it useful to set the default password expiry data in login.defs, but you probably won't find it too useful to configure the useradd configuration file. Really, what are the chances that you'll want to create all user accounts with the same account expiration date? Setting password expiry data in login.defs is more useful because you'll just be saying that you want new passwords to expire within a certain number of days, rather than to have them all expire on a specific date.

Most likely, you'll want to set account expiry data on a per-account basis, depending on whether you know that the accounts will no longer be needed as of a specific date. There are three ways that you can do this:

  • Use useradd with the appropriate option switches to set expiry data as you create the accounts. (If you need to create a whole bunch of accounts at once with the same expiry data, you can automate the process with a shell script.)
  • Use usermod to modify expiry data on existing accounts. (The beautiful thing about usermod is that it uses the same option switches as useradd.)
  • Use chage to modify expiry data on existing accounts. (This one uses a whole different set of option switches.)

You can use useradd and usermod to set account expiry data, but not to set password expiry data. The only two option switches that affect account expiry data are as follows:

  • -e: Use this to set an expiration date for the account, in the form YYYY-MM-DD.
  • -f: Use this to set the number of days after the user's password expires that you want for his or her account to get locked out.

Let's say that you want to create an account for Charlie that will expire at the end of 2020. On a Red Hat or CentOS machine, you could enter the following:

sudo useradd -e 2020-12-31 charlie

On a non-Red Hat or CentOS machine, you'd have to add the option switches that create the home directory and assign the correct default shell:

sudo useradd -m -d /home/charlie -s /bin/bash -e 2020-12-31 charlie

Use chage -l to verify what you've entered:

donnie@ubuntu-steemnode:~$ sudo chage -l charlie
Last password change : Oct 06, 2017
Password expires : never
Password inactive : never
Account expires : Dec 31, 2020
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
donnie@ubuntu-steemnode:~$

Now, let's say that Charlie's contract has been extended, and you need to change his account expiration to the end of January 2021. You'll use usermod the same way on any Linux distribution:

sudo usermod -e 2021-01-31 charlie

Again, verify that everything is correct with chage -l:

donnie@ubuntu-steemnode:~$ sudo chage -l charlie
Last password change : Oct 06, 2017
Password expires : never
Password inactive : never
Account expires : Jan 31, 2021
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
donnie@ubuntu-steemnode:~$

Optionally, you can set the number of days before an account with an expired password will get locked out:

sudo usermod -f 5 charlie

But if you were to do that now, you wouldn't see any difference in the chage -l output because we still haven't set expiration data for Charlie's password.