How to prevent users from extending their window of valid login

Generally, password expiration is used to force users to change their passwords. What it sounds like you want to do is to lock the account, which prevents all login.

What I would suggest you do instead is, when you create the account, also set up an at job which will lock the account after four hours.

For example:

useradd temp8143
echo chage -E 0 temp8143 | at now + 4 hours

(chage -E expects expiration dates to be given in days, so we work around this with an at job.)


If you remove the setuid bit from the passwd command, only root will be able to use it. This will also disable the users from changing the password before it expires - which could otherwise be a way for the users to extend the account for another four hours.

[jenny@finch ~] sudo chmod -s /usr/bin/passwd
[jenny@finch ~]$ passwd
Changing password for user jenny.
Changing password for jenny.
(current) UNIX password: 
New password: 
Retype new password: 
passwd: Authentication token manipulation error

Root is still able to change any password:

[jenny@finch ~]$ sudo passwd jenny
Changing password for user jenny.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.