After you reset someone's password, you do not want them keeping the temporary one you chose. Force them to pick their own at next login by expiring the current password. Two commands do it; both need root:
sudo chage -d 0 deploy # set last-change date to epoch = already expired
sudo passwd -e deploy # same effect, shorter to type
What the user sees
On their next login they get You are required to change your password immediately (administrator enforced), then the normal change-password flow. They cannot reach a shell until they set a new password. After that, the account behaves normally.
This is not the same as locking
It is a common mix-up:
| Goal | Command | Effect |
|---|---|---|
| Make them reset the password | chage -d 0 / passwd -e | They log in once, then must choose a new password. Access continues. |
| Stop them logging in at all | usermod -L + nologin, or chage -E 0 | Access blocked entirely. See lock and unlock. |
Forcing a change is the right move after an admin reset or a suspected weak password. Locking is for revoking access.
Undo it
If you expired the password by mistake, restore a normal last-change date:
sudo chage -d $(date +%Y-%m-%d) deploy # set last-change to todayOr simply have them complete the change once; after they set a new password the expiry clears on its own.
Caveat: it only forces password logins
Expiring the password forces a reset for password-based logins. A user who logs in by SSH key bypasses the password entirely, so chage -d 0 will not prompt them. If you need to force key users through something, that is an account-expiry or key-rotation task, not a password one.
FAQ
See also
- How to change a user password (passwd): the reset you do before forcing the change.
- Set password expiry and account aging (chage): max age, warnings, and the full chage reference.
- Lock and unlock a user account: when you want to block access, not just force a reset.
Sources
Authoritative references this article was fact-checked against.
