Title: Forcing new users to change their password on first login
-Tags: english, nuug, debian edu
-Date: 2010-05-02 13:40
+Tags: english, nuug, debian edu, sikkerhet
+Date: 2010-05-02 13:47
<p>One interesting feature in Active Directory, is the ability to
create a new user with an expired password, and thus force the user to
account, is to change the date of the last password change to the
lowest value possible (January 1th 1970), and the maximum password age
to the difference in days between that date and today. To make it
-simple, I went for 30 years and January 2th (to avoid testing if 0 is
-a valid value).</p>
+simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
+avoid testing if 0 is a valid value).</p>
<p>After using these commands to set it up, it seem to work as
intended:</p>
<p>If you want to comment on or help out with implementing this for
Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
+
+<p>Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
+shadow(8) page in Debian/testing now state that setting the date of
+last password change to zero (0) will force the password to be changed
+on the first login. This was not mentioned in the manual in Lenny, so
+I did not notice this in my initial testing. I have tested it on
+Squeeze, and '<tt>chage -d 0 username</tt>' do work there. I have not
+tested it on Lenny yet.</p>
+
+<p>Update 2010-05-02-19:05: Jim Paris tells me via email that an
+equivalent command to expire a password is '<tt>passwd -e
+username</tt>', which insert zero into the date of the last password
+change.</p>
projects / homepage.git / blobdiff