Remove password aging

[alejandro-colomar]

I intend to remove it in 4.21, and deprecate in 4.19.

Passwords should never expire. It has been proved to decrease password safety.

The following features and/or programs will be deprecated in 4.19:

• expiry(1) // To be removed in 4.20
• chage(1):
  • -I,--inactive (also the interactive version)
  • -m,--mindays (also the interactive version) // To be removed in 4.20
  • -M,--maxdays (also the interactive version)
  • -W,--warndays (also the interactive version)
• passwd(1):
  • -k,--keep-tokens
  • -n,--mindays // To be removed in 4.20
  • -x,--maxdays
  • -i,--inactive
  • -w,--warndays
• useradd(8):
  • -f,--inactive
• usermod(8):
  • -f,--inactive
• login.defs(5):
  • PASS_MIN_DAYS // To be removed in 4.20
  • PASS_MAX_DAYS // Remove it from the default file in 4.20
  • PASS_WARN_AGE // Remove it from the default file in 4.20
• /etc/default/useradd:
  • INACTIVE
• shadow(5):
  • sp_lstchg: Restrict to just the values 0 and empty.
  • sp_min // To be ignored in 4.20
  • sp_max
  • sp_warn
  • sp_inact

Distros should make sure to remove those 3 values from login.defs(5) ASAP. That will make sure that the transition from 4.20 to 4.21 will be smooth. These programs will fail if such a configuration is specified in 4.21.

Cc: @stoeckmann , @thesamesam , @floppym , @jubalh , @ikerexxe , @zeha , @hallyn

---

Here are some statistics of the PR:

$ COLUMNS=999 git diff --stat master..HEAD \
| grep '^ [^ ]' \
| tr / ' ' \
| awk '{print $1}' \
| sort \
| uniq \
| while read -r f; do
        echo $f;
        git diff --stat master..HEAD -- $f \
        | tail -n1;
done;
1533
configure.ac
 1 file changed, 3 deletions(-)
doc
 1 file changed, 3 insertions(+), 8 deletions(-)
etc
 1 file changed, 6 deletions(-)
lib
 10 files changed, 18 insertions(+), 220 deletions(-)
man
 35 files changed, 6 insertions(+), 1371 deletions(-)
po
 1 file changed, 2 deletions(-)
src
 12 files changed, 54 insertions(+), 1432 deletions(-)
tests
 1472 files changed, 18 insertions(+), 32517 deletions(-)

---

Here's what NIST and Microsoft say about this:

NIST
   NIST SP 800-63-3
       In 2017-06, NIST (National Institute of Standards and Technology)
       published NIST SP 800-63-3 <https://pages.nist.gov/800-63-3/> (Digital
       Identity Guidelines), which —among other documents— contained
       NIST SP 800-63B <https://pages.nist.gov/800-63-3/sp800-63b.html>
       (Authentication and Lifecycle Management).

       This 3rd revision of NIST SP 800-63 superseded NIST SP 800-63-2
       <https://csrc.nist.gov/pubs/sp/800/63/2/final> (Electronic
       Authentication Guideline), from 2013-08, which was withdrawn in
       2017-06-22.

       NIST SP 800-63B recommended in §5.1.1.2
       <https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver>
       (Memorized Secret Verifiers), paragraph 9, that passwords should not
       expire periodically.

              Verifiers SHOULD NOT require memorized secrets to be changed
              arbitrarily (e.g., periodically).  However, verifiers SHALL
              force a change if there is evidence of compromise of the
              authenticator.

       NIST SP 800-63-3 was amended in 2020-03-02, but didn't change this
       recommendation.

   FAQ
       In 2017-07, NIST published a FAQ page
       <https://pages.nist.gov/800-63-FAQ/> clarifying doubts about
       NIST SP 800-63.

       In 2018-04-30, an entry clarifying §5.1.1.2 was added
       <https://github.com/usnistgov/800-63-FAQ/commit/9a87d495088d>.

       That entry is currently numbered as B05
       <https://pages.nist.gov/800-63-FAQ/#q-b05> and contains the following
       text.

              Q-B05: Is password expiration no longer recommended?

              A-B05: SP 800-63B Section 5.1.1.2 paragraph 9 states:

                            “Verifiers SHOULD NOT require memorized secrets to
                            be changed arbitrarily (e.g., periodically).
                            However, verifiers SHALL force a change if there
                            is evidence of compromise of the authenticator.”

                     Users tend to choose weaker memorized secrets when they
                     know that they will have to change them in the near
                     future.  When those changes do occur, they often select a
                     secret that is similar to their old memorized secret by
                     applying a set of common transformations such as
                     increasing a number in the password.  This practice
                     provides a false sense of security if any of the previous
                     secrets has been compromised since attackers can apply
                     these same common transformations.  But if there is
                     evidence that the memorized secret has been compromised,
                     such as by a breach of the verifier’s hashed password
                     database or observed fraudulent activity, subscribers
                     should be required to change their memorized secrets.
                     However, this event-based change should occur rarely, so
                     that they are less motivated to choose a weak secret with
                     the knowledge that it will only be used for a limited
                     period of time.

   NIST SP 800-63-4
       In 2025-07, NIST published a new revision of the Digital Identity
       Guidelines: NIST SP 800-63-4 <https://pages.nist.gov/800-63-4/>, which
       —among other documents— contains NIST SP 800-63B-4
       <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.pdf>
       (Authentication and Authenticator Management).

       This 4th revision of NIST SP 800-63 superseded NIST SP 800-63-3
       <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf>,
       which was withdrawn in 2025-08-01.

       NIST SP 800-63B-4 is more strict than NIST SP 800-63B-3 regarding
       password expiration, and in §3.1.1.2
       <https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver>, prohibits
       periodic password expiration.

              6.  Verifiers and CSPs SHALL NOT require subscribers to change
                  passwords periodically.  However, verifiers SHALL force a
                  change if there is evidence that the authenticator has been
                  compromised.

Microsoft
       Some corporations have changed their security policies similarly.

       In 2019, Microsoft released version v1903 of Windows 10.  With it, it
       also published the Security baseline (FINAL) for Windows 10 v1903 and
       Windows Server v1903
       <https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903>.

       That publication drops periodic password expiration from their policy.

              •  Dropping the password-expiration policies that require
                 periodic password changes.  This change is discussed in
                 further detail below.

---

See also:

• https://pages.nist.gov/800-63-FAQ/#q-b05
• https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903

---

Revisions:

v2

• Only remove some features of chage(1), but not the entire program.
• Keep support for sp_lstchg == 0.
• Keep passwd(1) -e.

v3

• Rebase

$ git rd 
 1:  14542fe0f5d6 <  -:  ------------ *: expiry(1): Remove program
 2:  f3d202ba5089 =  1:  89661cf90859 *: chage(1): Remove interactive -I
 3:  f459a1858c94 =  2:  2c5fc86a212d *: chage(1): Remove interactive -m
 4:  548c28732d0b =  3:  92fb1b114bb9 *: chage(1): Remove interactive -M
 5:  59d18211b6a7 =  4:  0aa493de8d49 *: chage(1): Remove interactive -W
 6:  d8bb1d855ed2 =  5:  9648e1980136 *: chage(1): -I,--inactive: Remove option
 7:  368541756e3a =  6:  eef823f58f60 *: chage(1): -m,--mindays: Remove option
 8:  8a9f2928a38f =  7:  fb4b761a1d31 *: chage(1): -M,--maxdays: Remove option
 9:  ebcb2613391a =  8:  cfcc9591febd *: chage(1): -W,--warndays: Remove option
10:  4381c26fe9a2 !  9:  17e58f508ab3 *: passwd(1): -k,--keep-tokens: Remove option
    @@ lib/pam_pass.c
      {
        pam_handle_t *pamh = NULL;
        int flags = 0, ret;
    -@@ lib/pam_pass.c: void do_pam_passwd (const char *user, bool silent, bool change_expired)
      
        if (silent)
                flags |= PAM_SILENT;
    @@ src/passwd.c: main(int argc, char **argv)
     -  }
      
        if (anyflag && !amroot) {
    -           (void) fprintf (stderr, _("%s: Permission denied.\n"), Prog);
    + #ifdef WITH_AUDIT
     @@ src/passwd.c: main(int argc, char **argv)
                        do_pam_passwd_non_interactive ("passwd", name, cp);
                        erase_pass (cp);
11:  783f5718d100 = 10:  b3ea94811495 *: passwd(1): -n,--mindays: Remove option
12:  b64cbac2a338 = 11:  6bcaafcfde6f *: passwd(1): -x,--maxdays: Remove option
13:  b18a6b031720 = 12:  8125b5abf276 *: passwd(1): -i,--inactive: Remove option
14:  c9c2ad3c8e26 = 13:  4805c1fc272b *: passwd(1): -w,--warndays: Remove option
15:  87bbf32b556a = 14:  26ce7021578a *: useradd(8): -f,--inactive: Remove option
16:  bd06c767412b ! 15:  3dc5087c6845 *: usermod(8): -f,--inactive: Remove option
    @@ src/usermod.c: process_flags(int argc, char **argv, struct option_flags *flags)
        }
      
     @@ src/usermod.c: process_flags(int argc, char **argv, struct option_flags *flags)
    +   if (streq(user_newname, user_name)) {
    +           lflg = false;
    +   }
    +-  if (user_newinactive == user_inactive) {
    +-          fflg = false;
    +-  }
    +   if (user_newexpire == user_expire) {
    +           eflg = false;
    +   }
    +@@ src/usermod.c: process_flags(int argc, char **argv, struct option_flags *flags)
    +   }
    + 
    +   if (!(Uflg || uflg || sflg || pflg || mflg || Lflg ||
    +-        lflg || Gflg || gflg || fflg || eflg || dflg || cflg
    ++        lflg || Gflg || gflg || eflg || dflg || cflg
    + #ifdef ENABLE_SUBIDS
    +         || vflg || Vflg || wflg || Wflg
    + #endif                            /* ENABLE_SUBIDS */
    +@@ src/usermod.c: process_flags(int argc, char **argv, struct option_flags *flags)
    +           exit (E_SUCCESS);
        }
    - #endif                            /* WITH_SELINUX */
      
     -  if (!is_shadow_pwd && (eflg || fflg)) {
     +  if (!is_shadow_pwd && eflg) {
17:  298cd36264b1 ! 16:  ede0b49db209 *: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
    @@ man/login.defs.5.xml
            HOME_MODE
     -      PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
     +      PASS_MAX_DAYS PASS_WARN_AGE
    -       <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
    -       SHA_CRYPT_MIN_ROUNDS</phrase>
    +       SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
            SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
    +       SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
     @@
        <term>pwck</term>
        <listitem>
18:  e524c3f82cd8 ! 17:  ff4eddd6dd19 *: login.defs(5): PASS_MAX_DAYS: Remove configuration variable
    @@ man/login.defs.5.xml
            HOME_MODE
     -      PASS_MAX_DAYS PASS_WARN_AGE
     +      PASS_WARN_AGE
    -       <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
    -       SHA_CRYPT_MIN_ROUNDS</phrase>
    +       SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
            SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
    +       SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
     @@
        <term>pwck</term>
        <listitem>
19:  2169d73b023d ! 18:  198e6328990b *: login.defs(5): PASS_WARN_AGE: Remove configuration variable
    @@ man/login.defs.5.xml
            MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
            HOME_MODE
     -      PASS_WARN_AGE
    -       <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
    -       SHA_CRYPT_MIN_ROUNDS</phrase>
    +       SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
            SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
    +       SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
     @@
        <term>pwck</term>
        <listitem>
20:  27da3ea45343 ! 19:  49861daaaf47 *: /etc/default/useradd: INACTIVE: Remove configuration variable
    @@ doc/HOWTO
        ##
     
      ## src/useradd.c ##
    -@@ src/useradd.c: static const char *def_usrtemplate = USRSKELDIR;
    - static const char *def_create_mail_spool = "yes";
    +@@ src/useradd.c: static const char *def_create_mail_spool = "yes";
    + static const char *def_btrfs_subvolume_home = "no";
      static const char *def_log_init = "yes";
      
     -static long def_inactive = -1;
21:  2549caa6c394 = 20:  64723d009713 *: shadow(5): sp_min: Ignore field, and clear it
22:  6a2d2f3d7d15 = 21:  ff19bdd6315e *: shadow(5): sp_max: Ignore field, and clear it
23:  5140c36771b9 = 22:  25445a691a07 *: shadow(5): sp_inact: Ignore field, and clear it
24:  332a3f9c2e64 = 23:  6fb3b6361bed *: shadow(5): sp_warn: Ignore field, and clear it
25:  cabb33c3cafb ! 24:  c299ba64a4f3 *: shadow(5): sp_lstchg: Reduce the allowed values to "0", and ""
    @@ lib/gettime.c (deleted)
     -gettime(void)
     -{
     -  char    *source_date_epoch;
    --  FILE    *shadow_logfd = log_get_logfd();
     -  time_t  fallback, epoch;
     -
     -  fallback = time (NULL);
    @@ lib/gettime.c (deleted)
     -          return fallback;
     -
     -  if (a2i(time_t, &epoch, source_date_epoch, NULL, 10, 0, fallback) == -1) {
    --          fprintf(shadow_logfd,
    +-          fprintf(log_get_logfd(),
     -                  _("Environment variable $SOURCE_DATE_EPOCH: a2i(\"%s\"): %s"),
     -                  source_date_epoch, strerrno());
     -          return fallback;
    @@ src/useradd.c: static void new_spent (struct spwd *spent)
     
      ## src/usermod.c ##
     @@ src/usermod.c: static void new_spent (struct spwd *spent, bool process_selinux)
    -   spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);
    +   spent->sp_pwdp = new_pw_passwd(spent->sp_pwdp, process_selinux);
      
        if (pflg) {
     -          spent->sp_lstchg = gettime () / DAY;
26:  a991ac0edebd = 25:  ee6d4f550316 tests/system/tests/test_newusers.py: Remove tests where PAM differs from us.