chage (change age) controls the whole password lifecycle: how often it must change, how much warning the user gets, and when the account itself expires. Read the current state with -l, no root needed for your own account:
chage -l deploySetting aging is a root task:

The fields that matter
sudo chage -M 90 deploy # password must change every 90 days
sudo chage -m 1 deploy # at most one change per day (minimum age)
sudo chage -W 7 deploy # warn 7 days before expiry
sudo chage -I 14 deploy # 14 days after expiry, lock the account (inactivity)
sudo chage -E 2026-12-31 deploy # the whole account expires on this dateYou can set several at once: sudo chage -M 90 -W 7 -I 14 deploy. All of this lives in /etc/shadow; chage is just the safe editor for it.
Password expiry vs account expiry
The distinction that trips people up:
-M(max age) expires the password. The user is forced to set a new one, then carries on. It is a hygiene control.-E(account expiry) expires the account. On that date the user can no longer log in by any method, including SSH keys. It is an access control.
That makes -E the clean way to offboard a contractor on a known end date, or to lock an account immediately (chage -E 0). See lock and unlock a user account.
Set the policy for new users
chage changes one existing user. To set the default for accounts created from then on, edit /etc/login.defs (PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE). Existing users are unaffected; apply chage to them individually or in a loop.
FAQ
-M sets the maximum password age: after that many days the user must choose a new password but keeps access. -E sets an account expiry date: on that date the account is disabled entirely, including SSH key logins. Use -M for rotation hygiene, -E to offboard or disable.
chage -l deploy prints all the aging fields in plain English: last change, password expiry, account expiry, and the min/max/warn values. Any user can run it for their own account.
It applies from the password's last-change date. If the last change was already older than the new maximum, the password is treated as expired and the user must reset at next login. To force a reset now regardless, use chage -d 0; see force a password change.
See also
- Force a password change at next login: the chage -d 0 one-off.
- Lock and unlock a user account: chage -E 0 as a full lockout.
- How to change a user password (passwd): the reset itself.
- How to delete a user on Linux: when expiry is no longer enough.
Sources
Authoritative references this article was fact-checked against.





