Setting Minimum Password Life

The min argument to the passwd command specifies the number of days that must pass before a user can change passwords. If a user tries to change passwords before the minimum number of days has passed, a Sorry less than N days since the last change message is displayed.

The min argument uses the following format:

passwd -x max -n min username

Where:

• username is the login ID of the user

• max is the maximum number of days a password is valid as described in the section above

• min is the minimum number of days that must pass before the password can be changed.

For example, to force the user eponine to change passwords every 45 days, and prevent him from changing it for the first 7 days you would type the command:

station1% passwd -x 45 -n 7 eponine

The following rules apply to the min argument:

• You do not have to use a min argument or specify a minimum number of days before a password can be changed.

• If you do use the min argument, it must always be used in conjunction with the -max argument. In other words, in order to set a minimum value you must also set a maximum value.

• If you set min to be greater than max, the user is unable to change passwords at all. For example, the command passwd -x 7 -n 8 prevents the user from changing passwords. If the user tries to change passwords, the You may not change this password message is displayed. Setting the min value greater than the max value has two effects:

  • The user is unable to change password. In this case, only someone with administer privileges could change the password. For example, in situations where multiple users share a common group password, setting the min value for that password greater than the max value would prevent any individual user from changing the group password.

  • The password is only valid for the length of time set by the max value, but the user cannot change it because the min value is greater than the max value. Thus, there is no way for the user to prevent the password from becoming invalid at the expiration of the max time period. In effect, this prevents the user from logging in after the max time period unless an administrator intervenes.