Oracle: prevent password from aging on Exatada
When deploying an Oracle Exadata, passwords will be valid only for 60 days. After that time period, you will have to set a new password. But that's not very comfortable - and it will prevent your monitoring systems from logging in. I'll show you how to disable password aging on Exadata.
A few weeks after deploying an Exadata, I get these messages when logging in:
Using username "oracle".
Authenticating with public key "rsa-key-20250810"
You are required to change your password immediately (password expired)
Last login: Fri Dec 19 14:06:56 2025 from 100.17.18.175
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user oracle.
Current password:Ok, changing passwords is not a big deal. But my monitoring system will not work, as it can't login to the system - it's getting the same message.
Do I really need a new password every two or three months?
We decide to keep passwords for a longer time, as these passwords are different for each system, quite long (> 16 characters, including upper and lower case as well as numbers and special characters).
But how can we change the behaviour on Exadata?
There's a tool named host_access_control that will show us how the password policy is configured:
# /opt/oracle.cellos/host_access_control password-policy --status As we can see, passwords are valid only for 60 days:
[2026-01-06 09:55:52 +0100] [INFO] [IMG-SEC-0901] Password policy parameter PASS_MAX_DAYS 60 is set.
[2026-01-06 09:55:52 +0100] [INFO] [IMG-SEC-0901] Password policy parameter PASS_MIN_DAYS 1 is set.
[2026-01-06 09:55:52 +0100] [INFO] [IMG-SEC-0901] Password policy parameter PASS_MIN_LEN 8 is set.
[2026-01-06 09:55:52 +0100] [INFO] [IMG-SEC-0901] Password policy parameter PASS_WARN_AGE 7 is set.But are we allowed to change it? Let's have a look at the tool's help function:
# /opt/oracle.cellos/host_access_control password-policy --help usage: host_access_control [-h] [-s] [--defaults]
[--PASS_MAX_DAYS PASS_MAX_DAYS]
[--PASS_MIN_DAYS PASS_MIN_DAYS]
[--PASS_MIN_LEN PASS_MIN_LEN]
[--PASS_WARN_AGE PASS_WARN_AGE]
Description - Password Aging Policy Control:
Defines and displays the password aging policies for new account creation.
For active passord aging use the password-aging command.
optional arguments:
-h, --help show this help message and exit
-s, --status Display current password age settings
--defaults Set all password-policy values to *Exadata factory
defaults
--PASS_MAX_DAYS PASS_MAX_DAYS
Maximum number of days a password may be used. Input
limited to -1 or from 1 to 36500, -1 disables.
--PASS_MIN_DAYS PASS_MIN_DAYS
Minimum number of days allowed between password
changes. Input limited to -1 or from 1 to 36500, -1
disables.
--PASS_MIN_LEN PASS_MIN_LEN
Minimum acceptable password length. Input limited to
from 8 to 30.
--PASS_WARN_AGE PASS_WARN_AGE
Number of days warning given before a password
expires. Input limited to -1 or from 0 to 90. -1
disables.
Any option but --defaults and --status may be combined.
(*Exadata factory default values)
Ok, it seems that we can change password to be valid forever using the option PASS_MAX_DAYS:
# /opt/oracle.cellos/host_access_control password-policy --PASS_MAX_DAYS -1 [2026-01-06 09:56:03 +0100] [INFO] [IMG-SEC-0902] Password policy parameter PASS_MAX_DAYS set to -1Let's cross-check:
# /opt/oracle.cellos/host_access_control password-policy --status [2026-01-06 09:56:04 +0100] [INFO] [IMG-SEC-0901] Password policy parameter PASS_MAX_DAYS -1 is set.
[2026-01-06 09:56:04 +0100] [INFO] [IMG-SEC-0901] Password policy parameter PASS_MIN_DAYS 1 is set.
[2026-01-06 09:56:04 +0100] [INFO] [IMG-SEC-0901] Password policy parameter PASS_MIN_LEN 8 is set.
[2026-01-06 09:56:04 +0100] [INFO] [IMG-SEC-0901] Password policy parameter PASS_WARN_AGE 7 is set.Now, the password won't become invalid, and my monitoring will work also 60 days after a password change...