Q3. How to Disable Password Aging Completely?

Short Answer:

To disable password aging completely for a user, use:

This removes maximum password age and account expiration.

Detailed Explanation

Linux password aging is controlled using the chage command and settings stored in:

Each user in /etc/shadow has fields related to:

• Last password change

• Minimum days

• Maximum days

• Warning days

• Account expiry

Option 1: Disable Password Expiry for a Specific User

To disable password expiration:

To disable account expiry:

To disable both:

Verify settings:

Output should show:

Option 2: Disable Password Aging Globally (Not Recommended in Production)

You can modify:

Change:

This affects newly created users only.

Production (Real Scenario)

Scenario:

A production application uses a service account to connect to the database.

If password aging is enabled:

• Password expires automatically after 90 days

• Application fails

• Production outage occurs

To prevent this:

• Disable password aging for service accounts

• Restrict login shell (/sbin/nologin)

• Restrict SSH access

This ensures:
✔ No unexpected expiry
✔ No downtime
✔ Better service reliability

Important Security Note

Disabling password aging for normal users is not recommended.

Best Practice:

• Disable aging only for service accounts

• Enforce strong password policy for human users

• Use centralized authentication (LDAP/AD) in enterprise environments

Interview One-liner

“In production, we disable password aging only for service accounts using chage -M -1 -E -1, to prevent unexpected outages caused by expired credentials.”