Password Expiration Not Working with MAX_DAYS Setting

Jagadeesh · November 12, 2024, 11:06am

I am working on testing the password expiration functionality, specifically the CIS properties related to password expiration (MAX_DAYS).

Here are the steps I followed for testing:

Changed the password for the user testuser using passwd, and set MAX_DAYS to 365 using:

chage --maxdays 365 testuser

Verified the setting using chage -l testuser, which showed

ac1.thirdcdnvx0d1.cdn ~# chage -l testuser
Last password change                                    : Oct 15, 2024
Password expires                                        : Oct 15, 2025
Password inactive                                       : Oct 15, 2025
Account expires                                         : never
Minimum number of days between password change          : 1
Maximum number of days between password change          : 365
Number of days of warning before password expires       : 7
ac1.thirdcdnvx0d1.cdn ~#

Simulated a future date (Nov 14, 2025) using

sudo date -s "2025-11-14"

Logged out and attempted to log back in as testuser

Even after the password expiration date, I could still log in with the existing password. The system did not prompt for a password change.

I also set MAX_DAYS to 0 (which should force an immediate expiration), but I could still log in without being prompted to change the password.

Has anyone encountered similar issues with the MAX_DAYS setting not working? Any guidance or additional configuration that might be missing would be appreciated.

gerry666uk · November 21, 2024, 10:47am

I had a look at my own setup, where the passwords really do expire.

Two files worth checking

/etc/login.defs
/etc/default/useradd

Your ‘chage’ looks the same as mine, so I don’t see any obvious reason that your’s in not working.

Jagadeesh · November 21, 2024, 11:57am

@gerry666uk Thanks for your response! I noticed you mentioned that the password expiration works correctly in your setup. Could you confirm whether you tested this on Rocky Linux 9.x?

I’m trying to narrow down if this could be version-specific or related to some other configuration differences.

gerry666uk · November 21, 2024, 6:52pm

In my case, I have it set up on RHEL 9.4.

I only know what’s in the post above, the two files and the ‘chage’ command.

Did you try with a dummy account that’s should expire in two days (or somehting) instead of trying to mess with the date.

scallan · November 25, 2024, 3:45pm

Having recently swicthed to Rocky but yet to deploy it, I was curious if this was working on mine as I have chage polices set.
Running 9.4.
I set my expiry to one day, rolled the date back, rebooted and was pleased to see that it worked fine, asked me to change my password.

So I’m happy it’s working for myself at least.

Sorry, I’ve nothing to suggest to assit you with your issue.