Inconsistent password aging across tools

[stoeckmann]

Some tools in shadow assume that a maximum time before password change of 10.000 (and sometimes above) is equal to "unlimited." Such a limit is set by newusers if PASS_MAX_DAYS is not set in /etc/login.defs:

# newusers <<< user:pass:1234:1234::/home/user:/bin/bash
# grep user /etc/passwd /etc/shadow
/etc/passwd:user:x:1234:1234::/home/user:/bin/bash
/etc/shadow:user:...:19721:0:10000:7:::
# chage -l user
Last password change                                    : Dec 30, 2023
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10000
Number of days of warning before password expires       : 7

According to this output, the password will never expire.

Let's adjust the inactivity timeout and set the last password change far into the past:

# chage -I 100 user
# chage -d 1 user
# chage -l user
Last password change                                    : Jan 02, 1970
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 10000
Number of days of warning before password expires       : 7
# grep ^user /etc/shadow
/etc/passwd:user:x:1234:1234::/home/user:/bin/bash
/etc/shadow:user:...:1:0:10000:7:100::

According to this output, the password will still never expire.

But if you try to log in, the user account is expired and locked.