After you reset someone's password, you do not want them keeping the temporary one you chose. Force them to pick their own at next login by expiring the current password. Two commands do it; both need root:
sudo chage -d 0 deploy # set last-change date to epoch = already expired
sudo passwd -e deploy # same effect, shorter to type
What the user sees
On their next login they get You are required to change your password immediately (administrator enforced), then the normal change-password flow. They cannot reach a shell until they set a new password. After that, the account behaves normally.
This is not the same as locking
It is a common mix-up:
| Goal | Command | Effect |
|---|---|---|
| Make them reset the password | chage -d 0 / passwd -e | They log in once, then must choose a new password. Access continues. |
| Stop them logging in at all | usermod -L + nologin, or chage -E 0 | Access blocked entirely. See lock and unlock. |
Forcing a change is the right move after an admin reset or a suspected weak password. Locking is for revoking access.
Undo it
If you expired the password by mistake, restore a normal last-change date:
sudo chage -d $(date +%Y-%m-%d) deploy # set last-change to todayOr simply have them complete the change once; after they set a new password the expiry clears on its own.
Caveat: it only forces password logins
Expiring the password forces a reset for password-based logins. A user who logs in by SSH key bypasses the password entirely, so chage -d 0 will not prompt them. If you need to force key users through something, that is an account-expiry or key-rotation task, not a password one.
FAQ
They do the same thing: set the password's last-change date to the epoch so it counts as expired, forcing a reset at next login. passwd -e is just the shorter alias. Neither locks the account; the user logs in once and is made to choose a new password.
Forcing a password change only affects password authentication. SSH public-key logins skip the password, so an expired password does not prompt them. To gate key users, expire the whole account (chage -E 0) or rotate their key instead.
Reset the last-change date to today: sudo chage -d $(date +%Y-%m-%d) deploy. Or just let the user complete the one-time change; once they set a new password the forced-change flag clears.
See also
- How to change a user password (passwd): the reset you do before forcing the change.
- Set password expiry and account aging (chage): max age, warnings, and the full chage reference.
- Lock and unlock a user account: when you want to block access, not just force a reset.
Sources
Authoritative references this article was fact-checked against.





