Day 2: Managing Temporary User Accounts with Expiry Dates in Linux ⏰

Welcome back! 👋

Day 2 of the 100 Days Cloud DevOps Challenge is here, and today we're diving into something incredibly practical - creating user accounts that automatically expire. This is a game-changer for managing temporary access in production environments!

🤔 What is User Account Expiry?

Imagine hiring a contractor for a 3-month project. You give them server access on Day 1, but what happens on Day 91? Do you remember to disable their account? What if you forget? 😱

That's where account expiry comes in! It's like setting a timer on a user account. When the expiry date hits, the account automatically gets disabled. No manual intervention needed. No "I forgot to remove access" situations. Pure automation! ✨

Think of it like a temporary parking pass - it works until the expiration date, then it's automatically invalid.

🎯 Why Do We Need Temporary User Accounts?

Let me paint you some real-world scenarios where this is absolutely critical:

👷 Contractors and Temporary Staff You hire a developer for a 6-month project. Instead of manually tracking when to revoke their access, you set an expiry date when creating their account. When the project ends, their access automatically terminates. Clean and professional!

🔄 Project-Based Access Just like our Nautilus project scenario today! A developer named Javed needs access for a specific project with a defined end date. Set it and forget it!

🔐 Security Compliance Many security frameworks (like SOC 2, ISO 27001) require that temporary access should have defined end dates. Auditors love seeing automated expiry mechanisms because it reduces human error.

🎓 Interns and Trainees Summer interns? Training programs? Set their account expiry to match their last day. No awkward "please return your access" conversations.

🧪 Testing and Development Creating test accounts for QA? Set short expiry dates so they don't linger forever in your system.

💼 Vendor Access Third-party vendors need temporary access to troubleshoot or implement something? Give them time-bound access. Security team will thank you!

📍 Where and When to Use Account Expiry?

Where:

• Production servers handling sensitive data

• Development and staging environments

• Database servers with restricted access

• Application servers in regulated industries

• Jump servers and bastion hosts

• Any environment where temporary access is granted

When:

• Onboarding contractors or consultants

• Setting up project-based team members

• Creating accounts for vendors or partners

• During security audits requiring time-bound access

• For compliance with access review policies

• When implementing least privilege access principles

💼 Today's Challenge: The Nautilus Project

At Stratos Datacenter, developer Javed is joining the Nautilus project temporarily. The project has a defined timeline, and we need to ensure his access automatically terminates when his assignment ends.

The Task: Create user javed on App Server 2 with an expiry date of 2023-12-07.

Important: Username must be lowercase (standard protocol - this prevents issues with case-sensitive systems!)

🛠️ Let's Solve This Step by Step

Step 1: Connect to App Server 2

First, let's SSH into the target server:

bash

ssh steve@stapp02

Step 2: Elevate to Root Privileges

User management requires root access:

bash

sudo su -

Now we're ready to create our temporary user!

Step 3: Create User with Expiry Date

Here's the powerful one-liner:

bash

useradd javed -e 2023-12-07

Let me break down what's happening here:

• useradd - Our trusty user creation command

• javed - The username (in lowercase as required)

• -e 2023-12-07 - This is the magic! The -e flag sets the expiry date

• Date format is YYYY-MM-DD (ISO 8601 standard)

Alternative Approach: If you already created the user and need to add expiry later:

bash

# Create user first
useradd javed

# Then set expiry date
chage -E 2023-12-07 javed

This two-step approach is useful when you're modifying existing accounts!

Step 4: Set Password (If Required)

Depending on your setup, you might need to set a password:

bash

passwd javed

Enter a strong password when prompted. Pro tip: Use a password generator for temporary accounts!

Step 5: Verify Everything is Perfect

This is crucial - always verify! Let's check multiple ways:

Check if user exists:

bash

id javed
# Output: uid=1002(javed) gid=1002(javed) groups=1002(javed)

Verify user entry:

bash

grep javed /etc/passwd
# Output: javed:x:1002:1002::/home/javed:/bin/bash

The most important check - verify expiry date:

bash

chage -l javed

This will show you detailed account aging information. Look for the line:

Account expires                                    : Dec 07, 2023

Alternative verification using shadow file:

bash

getent shadow javed | cut -d: -f8
# Output: 19698 (this is days since epoch)

Want to convert that number back to a readable date? Try this:

bash

date -d "1970-01-01 + 19698 days"

Cool, right? 😎

🔍 Understanding Account Expiry in Depth

Let's dig deeper into how this actually works under the hood.

Where is Expiry Data Stored?

The expiry date is stored in the /etc/shadow file, specifically in the 8th field. This file contains secure user account information.

The shadow file format looks like this:

username:password:lastchange:min:max:warn:inactive:expire:reserved

The expire field (8th position) stores the number of days since January 1, 1970 (Unix epoch) until the account expires.

What Happens When Account Expires?

When the expiry date is reached:

• ❌ User cannot login (SSH, console, or any other method)

• ✅ User's files and data remain intact

• ✅ Processes running as that user continue (until system restart)

• ❌ No new authentication attempts succeed

• 📝 Login attempts are logged in system logs

The account is essentially locked but not deleted!

Account Expiry vs Password Expiry

These are different concepts - don't confuse them!

Account Expiry:

• Disables the entire account on a specific date

• Set with -e flag or chage -E

• Account becomes completely inaccessible

Password Expiry:

• Forces password change after certain days

• Set with chage -M (max days)

• Account still accessible, just needs new password

🎨 Advanced Tips and Tricks

Removing Expiry Date

Changed your mind? Need to make the account permanent?

bash

chage -E -1 javed
# or
chage -E "" javed

The -1 value means "no expiry date"!

Checking Multiple Users

Want to audit all users with expiry dates?

bash

for user in $(cut -d: -f1 /etc/passwd); do
    expiry=$(chage -l $user 2>/dev/null | grep "Account expires" | cut -d: -f2)
    if [[ "$expiry" != *"never"* ]] && [[ -n "$expiry" ]]; then
        echo "$user expires on $expiry"
    fi
done

This script loops through all users and shows which ones have expiry dates!

Warning Before Expiry

Set up email notifications before accounts expire:

bash

chage -W 7 javed  # Warn 7 days before expiry

💡 Key Takeaways

✨ Account expiry automates temporary access management

✨ Use ISO date format YYYY-MM-DD for expiry dates

✨ -e flag sets expiry during user creation

✨ chage command manages account aging policies

✨ Expired accounts are locked, not deleted ✨ A

lways verify expiry with chage -l username ✨

Account expiry ≠ password expiry (different concepts!)

✨ Stored in /etc/shadow file (8th field)

✨ Critical for security compliance and audits

✨ Reduces manual overhead in access management

🎓 Interview Questions You Should Master

Q1: What's the difference between account expiry and password expiry?

Answer: Account expiry completely disables the user account on a specific date - the user cannot login at all. Password expiry forces the user to change their password after a certain number of days, but the account remains active. Account expiry is set with useradd -e or chage -E, while password expiry is managed with chage -M (maximum password age). For temporary access, account expiry is more appropriate as it completely prevents access without requiring user action.

Q2: How would you check when a user account will expire?

Answer: There are multiple methods: First, use chage -l username which displays comprehensive account aging information including the expiry date in human-readable format. Second, you can check the /etc/shadow file directly - the 8th field contains days since epoch until expiry. Third, use getent shadow username | cut -d: -f8 to get the epoch days value. The chage -l method is preferred as it's most user-friendly and provides context about all aging policies.

Q3: What happens to a user's files and running processes when their account expires?

Answer: The user's files and home directory remain completely intact - account expiry doesn't delete any data. Any processes that were already running as that user continue to run until they're stopped or the system reboots. However, the user cannot initiate any new login sessions or start new processes. This is important for troubleshooting - if a service is running as an expired user, it continues working until restart, which can mask the expiry issue.

Q4: How would you extend or remove the expiry date of an existing user account?

Answer: Use the chage command with the -E flag. To extend to a new date: chage -E 2024-12-31 username. To remove expiry completely (make permanent): chage -E -1 username or chage -E "" username. The -1 value specifically means "never expire." You can verify the change with chage -l username. This is common when contractors get their contracts extended or temporary staff transitions to permanent positions.

Q5: Why is it considered a security best practice to use account expiry for temporary users?

Answer: Account expiry enforces the principle of least privilege and time-based access control. It eliminates the risk of forgotten accounts remaining active indefinitely - a common security vulnerability. Manual account management relies on human memory and process adherence, which frequently fails. Automated expiry ensures that temporary access truly is temporary, reducing the attack surface. It's also required for compliance frameworks like SOC 2, PCI-DSS, and ISO 27001, which mandate that temporary access must have defined end dates and automatic enforcement mechanisms.

Q6: Can you explain what the numbers in the /etc/shadow file represent for account expiry?

Answer: The /etc/shadow file stores secure user account data, with fields separated by colons. The 8th field contains the account expiry value as the number of days since January 1, 1970 (Unix epoch) until the account expires. For example, 19698 days since epoch equals December 7, 2023. An empty field or 0 means the account never expires. This epoch-based system makes date calculations easy for the system. You can convert between epoch days and readable dates using date manipulation commands like date -d "1970-01-01 + X days".

🚀 Real-World Pro Tips

For DevOps Engineers:

• Automate account creation with expiry using configuration management tools (Ansible, Puppet, Chef)

• Set up monitoring alerts for accounts nearing expiry

• Document expiry dates in your ticketing system

• Create a script to audit all expiring accounts weekly

For Security Teams:

• Regular audits of accounts without expiry dates

• Enforce expiry policies through account creation scripts

• Log all account expiry events for compliance

• Set shorter expiry periods for high-privilege accounts

For System Admins:

• Always communicate expiry dates to users

• Set expiry 1-2 days after expected end date (buffer for timezone differences)

• Use consistent date format across your organization

• Maintain an inventory of temporary accounts

🎯 What's Next?

That's Day 2 wrapped! We've mastered temporary user account management and learned how to automate access control through expiry dates. This is a fundamental skill that you'll use constantly in real DevOps environments!

Tomorrow, Day 3 awaits with new challenges! Keep building that muscle memory! 💪

---

Day: 2/100
Challenge: KodeKloud Cloud DevOps
Date: November 7, 2025
Topic: Linux User Management & Account Expiry

How do you manage temporary access in your organization? Share your experiences in the comments! 🎉