Prompted for password reset even though account (and password) should never expire

Question

After deploying a VM from a prepared image I'm being prompted to change the root password when I try to log into the server via SSH:

me@localhost:~ $ ssh 192.168.1.2
You are required to change your password immediately (root enforced)
Welcome to Ubuntu xx.xx.x LTS (GNU/Linux x.x.x-xxx-generic x86_64)
Last login: Mon Jul 26 09:01:55 2021 from 192.168.1.1
Changing password for root.
(current) UNIX password: 

However, the account and password should be set to never expire. If I boot a rescue system and look at the account information I'm seeing this:

root@localhost:~# chage -l root
Last password change                                : password must be changed
Password expires                                    : password must be changed
Password inactive                                   : password must be changed
Account expires                                     : never
Minimum number of days between password change      : 0
Maximum number of days between password change      : 99999
Number of days of warning before password expires   : 7

I've seen recommendations to use chage -M -1 root, but that doesn't fix the problem for me.

Answer 1

If you take a look at /etc/shadow you'll see that the 3rd field of the user entry in question has been set to 0.

root:$6$wN...380J0:0:0:99999:7:::

From man 5 shadow:

date of last password change
The date of the last password change, expressed as the number of days since Jan 1, 1970.
The value 0 has a special meaning, which is that the user should change her password the next time she will log in the system.
An empty field means that password aging features are disabled.

Running chage -M -1 root won't help you because it will disable checking the password for validity, which is not what you want. From man chage:

-M, --maxday MAX_DAYS
Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current day, the user will be required to change his/her password before being able to use his/her account. This occurrence can be planned for in advance by use of the -W option, which provides the user with advance warning.

Passing the number -1 as MAX_DAYS will remove checking a password's validity.

The current value of 99999 is perfectly fine for the maximum age setting. What you actually want is to clear the "password last set" field (disable password aging) or set it to a positive integer (the number of days between 1970-01-01 and the date of the last password change).

-d, --lastday LAST_DAY
Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area).

Either of the following commands should fix the issue:

chage -d -1 root            # clear field
chage -d $(date +%F) root   # set field to today