chage (change age) controls the whole password lifecycle: how often it must change, how much warning the user gets, and when the account itself expires. Read the current state with -l, no root needed for your own account:
chage -l deploySetting aging is a root task:
The fields that matter
sudo chage -M 90 deploy # password must change every 90 days
sudo chage -m 1 deploy # at most one change per day (minimum age)
sudo chage -W 7 deploy # warn 7 days before expiry
sudo chage -I 14 deploy # 14 days after expiry, lock the account (inactivity)
sudo chage -E 2026-12-31 deploy # the whole account expires on this dateYou can set several at once: sudo chage -M 90 -W 7 -I 14 deploy. All of this lives in /etc/shadow; chage is just the safe editor for it.
Password expiry vs account expiry
The distinction that trips people up:
-M(max age) expires the password. The user is forced to set a new one, then carries on. It is a hygiene control.-E(account expiry) expires the account. On that date the user can no longer log in by any method, including SSH keys. It is an access control.
That makes -E the clean way to offboard a contractor on a known end date, or to lock an account immediately (chage -E 0). See lock and unlock a user account.
Set the policy for new users
chage changes one existing user. To set the default for accounts created from then on, edit /etc/login.defs (PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE). Existing users are unaffected; apply chage to them individually or in a loop.
FAQ
See also
- Force a password change at next login: the chage -d 0 one-off.
- Lock and unlock a user account: chage -E 0 as a full lockout.
- How to change a user password (passwd): the reset itself.
- How to delete a user on Linux: when expiry is no longer enough.
Sources
Authoritative references this article was fact-checked against.
