The secrets of password aging on Unix systems

If you’re a Unix admin, it helps to know how password aging is managed and how you can determine when a password was last changed or force a change in the near future. The key to understanding how password aging information is stored on Unix systems is knowing how and where information about dates related to user passwords is maintained.

Regular users (anyone without root access) cannot look at the contents of the /etc/shadow file where password aging parameters are stored. The contents of this file were separated from the /etc/passwd file a lot of years ago (back in the mid-eighties) to keep user password hashes away from the prying eyes of anyone but root. Even so, users can pull up information about their password settings using the chage command.

In the command output shown below, you can see how much information is available.

$ chage -l jdo
Last password change                                : Apr 10, 2017
Password expires                                    : May 10, 2017
Password inactive                                   : never
Account expires                                     : never
Minimum number of days between password change      : 0
Maximum number of days between password change      : 30
Number of days of warning before password expires   : 7

This particular user can see that his/her password was just recently changed (hopefully, they knew that) and that it expires in another month. We can also see that this user’s account has no expiration date, that any password will expire after 30 days, and that the user should get a warning seven days before the password is set to expire. Regular users can, of course, only see their own data.

Sysadmins can run this same command as root and see the same information but for any user. They can also look at the record in the /etc/shadow file from which all this information is derived.

# grep jdo /etc/shadow
jdo:$6$lgq2nGMX$MzADc/126H/5iCBcRBuPeJw5U3xhDBqna7WnAJ3zvsY7AczxidlZHfDy0oUWymFJneYgOALYamFeP0le7wXcU/:17266:0:30:7:::

To make this display a little more clear, I’ve marked off and identified the various fields below. Each digit identifies the numer of the field that precedes the colon.

# grep shs /etc/shadow
jdo:$6$lgq2nGMX$MzADc/126H/5iCBcRBuPeJw5U3xhDBqna7WnAJ3zvsY7AczxidlZHfDy0oUWymFJneYgOALYamFeP0le7wXcU/:17266:0:30:7:::
---1--------------------------------------------------------------------------------------------------2-----3-4--5-6789

As you can see, many of these colon-separated fields are empty. Here’s what each field represents:

1  username
2  password hash
3  date of last password changed *
4  minimum number of days between password changes
5  maximum number of days between password changes
6  number of days before password change is required that user will be warned
7  number of days after password expiration that account is disabled
8  expiration date
9  not used -- reserved for future use

Of these fields, only the date the password was last changed requires interpretation. Password ages are stored on Unix systems in the /etc/shadow file in a format that is not surprising to anyone who has spent some time on the Unix command line. Unix dates don’t go back to year 0, but to the mythical beginning of all things Unix – Jan 1, 1970, often referred to as the “epoch”. This particular date was selected because it was shortly before the birth of Unix and is fairly easy to remember.

The number 17266 means “17,266 days since Jan 1, 1970” and, as you can see from some of the command output above, the chage command has no trouble interpreting it. Note that this is in contrast to other dates used on Unix systems which are calculated based on the number of seconds since the epoch.

To see what today’s date looks like in the shadow file format, try this command:

$ echo $(($(date --utc --date "$1" +%s)/86400))
17267

The 86400 used in this expression is the number of seconds in a single day.