Okay, we all care about security so users should change their passwords on a regular basis (who said passwords are like underwear?).

On redhat and centos (5.x and 6.x), it's possible to make every real user password expires after 45 days, and warn them 7 days before.

/etc/shadow entry then looks like :

testuser:$6$m8VQ7BWU$b3UBovxC5b9p2UxLxyT0QKKgG1RoOHoap2CV7HviDJ03AUvcFTqB.yiV4Dn7Rj6LgCBsJ1.obQpaLVCx5.Sx90:15588:1:45:7:::

It works very well and most users often change their passwords.

Some users find it convenient not to use any password but ssh public key (and I'd like to encourage them).

Then after 45 days they can't log in as they forgot their password and are asked to change it.

Is there a way to prevent password expiration if and only if password is disabled?

Setting testuser:!!:15588:1:45:7::: in /etc/shadow did not work : testuser is asked to change his password after 45 days.

Of course, setting back password expiration to 99999 days works but :

• It requires extra work.
• Security auditors might not be happy.

Is there a system wide parameter that would prompt the user to change expired password only if he really has one ?