<item>
- <title>Forcing new users to change their password on first login</title>
- <link>http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html</guid>
- <pubDate>Sun, 2 May 2010 13:47:00 +0200</pubDate>
- <description>
-<p>One interesting feature in Active Directory, is the ability to
-create a new user with an expired password, and thus force the user to
-change the password on the first login attempt.</p>
+ <title>Parallellized boot seem to hold up well in Debian/testing</title>
+ <link>http://people.skolelinux.org/pere/blog/Parallellized_boot_seem_to_hold_up_well_in_Debian_testing.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Parallellized_boot_seem_to_hold_up_well_in_Debian_testing.html</guid>
+ <pubDate>Thu, 27 May 2010 23:55:00 +0200</pubDate>
+ <description><p>A few days ago, parallel booting was enabled in Debian/testing.
+The feature seem to hold up pretty well, but three fairly serious
+issues are known and should be solved:
-<p>I'm not quite sure how to do that with the LDAP setup in Debian
-Edu, but did some initial testing with a local account. The account
-and password aging information is available in /etc/shadow, but
-unfortunately, it is not possible to specify an expiration time for
-passwords, only a maximum age for passwords.</p>
+<p><ul>
-<p>A freshly created account (using adduser test) will have these
-settings in /etc/shadow:</p>
+<li>The wicd package seen to
+<a href="http://bugs.debian.org/508289">break NFS mounting</a> and
+<a href="http://bugs.debian.org/581586">network setup</a> when
+parallel booting is enabled. No idea why, but the wicd maintainer
+seem to be on the case.</li>
-<blockquote><pre>
-root@tjener:~# chage -l test
-Last password change : May 02, 2010
-Password expires : never
-Password inactive : never
-Account expires : never
-Minimum number of days between password change : 0
-Maximum number of days between password change : 99999
-Number of days of warning before password expires : 7
-root@tjener:~#
-</pre></blockquote>
+<li>The nvidia X driver seem to
+<a href="http://bugs.debian.org/583312">have a race condition</a>
+triggered more easily when parallel booting is in effect. The
+maintainer is on the case.</li>
-<p>The only way I could come up with to create a user with an expired
-account, is to change the date of the last password change to the
-lowest value possible (January 1th 1970), and the maximum password age
-to the difference in days between that date and today. To make it
-simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
-avoid testing if 0 is a valid value).</p>
+<li>The sysv-rc package fail to properly enable dependency based boot
+sequencing (the shutdown is broken) when old file-rc users
+<a href="http://bugs.debian.org/575080">try to switch back</a> to
+sysv-rc. One way to solve it would be for file-rc to create
+/etc/init.d/.legacy-bootordering, and another is to try to make
+sysv-rc more robust. Will investigate some more and probably upload a
+workaround in sysv-rc to help those trying to move from file-rc to
+sysv-rc get a working shutdown.</li>
-<p>After using these commands to set it up, it seem to work as
-intended:</p>
+</ul></p>
-<blockquote><pre>
-root@tjener:~# chage -d 1 test; chage -M 10950 test
-root@tjener:~# chage -l test
-Last password change : Jan 02, 1970
-Password expires : never
-Password inactive : never
-Account expires : never
-Minimum number of days between password change : 0
-Maximum number of days between password change : 10950
-Number of days of warning before password expires : 7
-root@tjener:~#
-</pre></blockquote>
+<p>All in all not many surprising issues, and all of them seem
+solvable before Squeeze is released. In addition to these there are
+some packages with bugs in their dependencies and run level settings,
+which I expect will be fixed in a reasonable time span.</p>
-<p>So far I have tested this with ssh and console, and kdm (in
-Squeeze) login, and all ask for a new password before login in the
-user (with ssh, I was thrown out and had to log in again).</p>
+<p>If you report any problems with dependencies in init.d scripts to
+the BTS, please usertag the report to get it to show up at
+<a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org">the
+list of usertagged bugs related to this</a>.</p>
-<p>Perhaps we should set up something similar for Debian Edu, to make
-sure only the user itself have the account password?</p>
+<p>Update: Correct bug number to file-rc issue.</p>
+</description>
+ </item>
+
+ <item>
+ <title>More flexible firmware handling in debian-installer</title>
+ <link>http://people.skolelinux.org/pere/blog/More_flexible_firmware_handling_in_debian_installer.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/More_flexible_firmware_handling_in_debian_installer.html</guid>
+ <pubDate>Sat, 22 May 2010 21:30:00 +0200</pubDate>
+ <description><p>After a long break from debian-installer development, I finally
+found time today to return to the project. Having to spend less time
+working dependency based boot in debian, as it is almost complete now,
+definitely helped freeing some time.</p>
-<p>If you want to comment on or help out with implementing this for
-Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
+<p>A while back, I ran into a problem while working on Debian Edu. We
+include some firmware packages on the Debian Edu CDs, those needed to
+get disk and network controllers working. Without having these
+firmware packages available during installation, it is impossible to
+install Debian Edu on the given machine, and because our target group
+are non-technical people, asking them to provide firmware packages on
+an external medium is a support pain. Initially, I expected it to be
+enough to include the firmware packages on the CD to get
+debian-installer to find and use them. This proved to be wrong.
+Next, I hoped it was enough to symlink the relevant firmware packages
+to some useful location on the CD (tried /cdrom/ and
+/cdrom/firmware/). This also proved to not work, and at this point I
+found time to look at the debian-installer code to figure out what was
+going to work.</p>
-<p>Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
-shadow(8) page in Debian/testing now state that setting the date of
-last password change to zero (0) will force the password to be changed
-on the first login. This was not mentioned in the manual in Lenny, so
-I did not notice this in my initial testing. I have tested it on
-Squeeze, and '<tt>chage -d 0 username</tt>' do work there. I have not
-tested it on Lenny yet.</p>
+<p>The firmware loading code is in the hw-detect package, and a closer
+look revealed that it would only look for firmware packages outside
+the installation media, so the CD was never checked for firmware
+packages. It would only check USB sticks, floppies and other
+"external" media devices. Today I changed it to also look in the
+/cdrom/firmware/ directory on the mounted CD or DVD, which should
+solve the problem I ran into with Debian edu. I also changed it to
+look in /firmware/, to make sure the installer also find firmware
+provided in the initrd when booting the installer via PXE, to allow us
+to provide the same feature in the PXE setup included in Debian
+Edu.</p>
-<p>Update 2010-05-02-19:05: Jim Paris tells me via email that an
-equivalent command to expire a password is '<tt>passwd -e
-username</tt>', which insert zero into the date of the last password
-change.</p>
+<p>To make sure firmware deb packages with a license questions are not
+activated without asking if the license is accepted, I extended
+hw-detect to look for preinst scripts in the firmware packages, and
+run these before activating the firmware during installation. The
+license question is asked using debconf in the preinst, so this should
+solve the issue for the firmware packages I have looked at so far.</p>
+
+<p>If you want to discuss the details of these features, please
+contact us on debian-boot@lists.debian.org.</p>
</description>
</item>
<item>
- <title>Parallellizing the boot in Debian Squeeze - ready for wider testing</title>
- <link>http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html</guid>
- <pubDate>Thu, 6 May 2010 23:25:00 +0200</pubDate>
- <description>
-<p>These days, the init.d script dependencies in Squeeze are quite
-complete, so complete that it is actually possible to run all the
-init.d scripts in parallell based on these dependencies. If you want
-to test your Squeeze system, make sure
-<a href="http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot">dependency
-based boot sequencing</a> is enabled, and add this line to
-/etc/default/rcS:</p>
+ <title>Magnetstripeinnhold i billetter fra Flytoget og Hurtigruten</title>
+ <link>http://people.skolelinux.org/pere/blog/Magnetstripeinnhold_i_billetter_fra_Flytoget_og_Hurtigruten.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Magnetstripeinnhold_i_billetter_fra_Flytoget_og_Hurtigruten.html</guid>
+ <pubDate>Fri, 21 May 2010 16:00:00 +0200</pubDate>
+ <description><p>For en stund tilbake kjøpte jeg en magnetkortleser for å kunne
+titte på hva som er skrevet inn på magnetstripene til ulike kort. Har
+ikke hatt tid til å analysere mange kort så langt, men tenkte jeg
+skulle dele innholdet på to kort med mine lesere.</p>
-<blockquote><pre>
-CONCURRENCY=makefile
-</pre></blockquote>
+<p>For noen dager siden tok jeg flyet til Harstad og Hurtigruten til
+Bergen. Flytoget fra Oslo S til flyplassen ga meg en billett med
+magnetstripe. Påtrykket finner jeg følgende informasjon:</p>
-<p>That is it. It will cause sysv-rc to use the startpar tool to run
-scripts in parallel using the dependency information stored in
-/etc/init.d/.depend.boot, /etc/init.d/.depend.start and
-/etc/init.d/.depend.stop to order the scripts. Startpar is configured
-to try to start the kdm and gdm scripts as early as possible, and will
-start the facilities required by kdm or gdm as early as possible to
-make this happen.</p>
+<pre>
+Flytoget Airport Express Train
-<p>Give it a try, and see if you like the result. If some services
-fail to start properly, it is most likely because they have incomplete
-init.d script dependencies in their startup script (or some of their
-dependent scripts have incomplete dependencies). Report bugs and get
-the package maintainers to fix it. :)</p>
+Fra - Til : Oslo Sentralstasjon
+Kategori : Voksen
+Pris : Nok 170,00
+Herav mva. 8,00% : NOK 12,59
+Betaling : Kontant
+Til - Fra : Oslo Lufthavn
+Utstedt: : 08.05.10
+Gyldig Fra-Til : 08.05.10-07.11.10
+Billetttype : Enkeltbillett
-<p>Running scripts in parallel could be the default in Debian when we
-manage to get the init.d script dependencies complete and correct. I
-expect we will get there in Squeeze+1, if we get manage to test and
-fix the remaining issues.</p>
+102-1015-100508-48382-01-08
+</pre>
+
+<p>På selve magnetstripen er innholdet
+<tt>;E?+900120011=23250996541068112619257138248441708433322932704083389389062603279671261502492655?</tt>.
+Aner ikke hva innholdet representerer, og det er lite overlapp mellom
+det jeg ser trykket på billetten og det jeg ser av tegn i
+magnetstripen. Håper det betyr at de bruker kryptografiske metoder
+for å gjøre det vanskelig å forfalske billetter.</p>
+
+<p>Den andre billetten er fra Hurtigruten, der jeg mistenker at
+strekkoden på fronten er mer brukt enn magnetstripen (det var i hvert
+fall den biten vi stakk inn i dørlåsen).</p>
+
+<p>Påtrykket forsiden er følgende:</p>
+
+<pre>
+Romnummer 727
+Hurtigruten
+Midnatsol
+Reinholdtsen
+Petter
+Bookingno: SAX69 0742193
+Harstad-Bergen
+Dep: 09.05.2010 Arr: 12.05.2010
+Lugar fra Risøyhamn
+Kost: FRO=4
+</pre>
+
+<p>På selve magnetstripen er innholdet
+<tt>;1316010007421930=00000000000000000000?+E?</tt>. Heller ikke her
+ser jeg mye korrespondanse mellom påtrykk og magnetstripe.</p>
+</description>
+ </item>
+
+ <item>
+ <title>Pieces of the roaming laptop puzzle in Debian</title>
+ <link>http://people.skolelinux.org/pere/blog/Pieces_of_the_roaming_laptop_puzzle_in_Debian.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Pieces_of_the_roaming_laptop_puzzle_in_Debian.html</guid>
+ <pubDate>Wed, 19 May 2010 19:00:00 +0200</pubDate>
+ <description><p>Today, the last piece of the puzzle for roaming laptops in Debian
+Edu finally entered the Debian archive. Today, the new
+<a href="http://packages.qa.debian.org/libp/libpam-mklocaluser.html">libpam-mklocaluser</a>
+package was accepted. Two days ago, two other pieces was accepted
+into unstable. The
+<a href="http://packages.qa.debian.org/p/pam-python.html">pam-python</a>
+package needed by libpam-mklocaluser, and the
+<a href="http://packages.qa.debian.org/s/sssd.html">sssd</a> package
+passed NEW on Monday. In addition, the
+<a href="http://packages.qa.debian.org/libp/libpam-ccreds.html">libpam-ccreds</a>
+package we need is in experimental (version 10-4) since Saturday, and
+hopefully will be moved to unstable soon.</p>
+
+<p>This collection of packages allow for two different setups for
+roaming laptops. The traditional setup would be using libpam-ccreds,
+nscd and libpam-mklocaluser with LDAP or Kerberos authentication,
+which should work out of the box if the configuration changes proposed
+for nscd in <a href="http://bugs.debian.org/485282">BTS report
+#485282</a> is implemented. The alternative setup is to use sssd with
+libpam-mklocaluser to connect to LDAP or Kerberos and let sssd take
+care of the caching of passwords and group information.</p>
+
+<p>I have so far been unable to get sssd to work with the LDAP server
+at the University, but suspect the issue is some SSL/GnuTLS related
+problem with the server certificate. I plan to update the Debian
+package to version 1.2, which is scheduled for next week, and hope to
+find time to make sure the next release will include both the
+Debian/Ubuntu specific patches. Upstream is friendly and responsive,
+and I am sure we will find a good solution.</p>
+
+<p>The idea is to set up the roaming laptops to authenticate using
+LDAP or Kerberos and create a local user with home directory in /home/
+when a usre in LDAP logs in via KDM or GDM for the first time, and
+cache the password for offline checking, as well as caching group
+memberhips and other relevant LDAP information. The
+libpam-mklocaluser package was created to make sure the local home
+directory is in /home/, instead of /site/server/directory/ which would
+be the home directory if pam_mkhomedir was used. To avoid confusion
+with support requests and configuration, we do not want local laptops
+to have users in a path that is used for the same users home directory
+on the home directory servers.</p>
+
+<p>One annoying problem with gdm is that it do not show the PAM
+message passed to the user from libpam-mklocaluser when the local user
+is created. Instead gdm simply reject the login with some generic
+message. The message is shown in kdm, ssh and login, so I guess it is
+a bug in gdm. Have not investigated if there is some other message
+type that can be used instead to get gdm to also show the message.</p>
+
+<p>If you want to help out with implementing this for Debian Edu,
+please contact us on debian-edu@lists.debian.org.</p>
+</description>
+ </item>
+
+ <item>
+ <title>Parallellized boot is now the default in Debian/unstable</title>
+ <link>http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html</guid>
+ <pubDate>Fri, 14 May 2010 22:40:00 +0200</pubDate>
+ <description><p>Since this evening, parallel booting is the default in
+Debian/unstable for machines using dependency based boot sequencing.
+Apparently the testing of concurrent booting has been wider than
+expected, if I am to believe the
+<a href="http://lists.debian.org/debian-devel/2010/05/msg00122.html">input
+on debian-devel@</a>, and I concluded a few days ago to move forward
+with the feature this weekend, to give us some time to detect any
+remaining problems before Squeeze is frozen. If serious problems are
+detected, it is simple to change the default back to sequential boot.
+The upload of the new sysvinit package also activate a new upstream
+version.</p>
+
+More information about
+<a href="http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot">dependency
+based boot sequencing</a> is available from the Debian wiki. It is
+currently possible to disable parallel booting when one run into
+problems caused by it, by adding this line to /etc/default/rcS:</p>
+
+<blockquote><pre>
+CONCURRENCY=none
+</pre></blockquote>
<p>If you report any problems with dependencies in init.d scripts to
the BTS, please usertag the report to get it to show up at
</description>
</item>
+ <item>
+ <title>Sitesummary tip: Listing MAC address of all clients</title>
+ <link>http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html</guid>
+ <pubDate>Fri, 14 May 2010 21:10:00 +0200</pubDate>
+ <description><p>In the recent Debian Edu versions, the
+<a href="http://wiki.debian.org/DebianEdu/HowTo/SiteSummary">sitesummary
+system</a> is used to keep track of the machines in the school
+network. Each machine will automatically report its status to the
+central server after boot and once per night. The network setup is
+also reported, and using this information it is possible to get the
+MAC address of all network interfaces in the machines. This is useful
+to update the DHCP configuration.</p>
+
+<p>To give some idea how to use sitesummary, here is a one-liner to
+ist all MAC addresses of all machines reporting to sitesummary. Run
+this on the collector host:</p>
+
+<blockquote><pre>
+perl -MSiteSummary -e 'for_all_hosts(sub { print join(" ", get_macaddresses(shift)), "\n"; });'
+</pre></blockquote>
+
+<p>This will list all MAC addresses assosiated with all machine, one
+line per machine and with space between the MAC addresses.</p>
+
+<p>To allow system administrators easier job at adding static DHCP
+addresses for hosts, it would be possible to extend this to fetch
+machine information from sitesummary and update the DHCP and DNS
+tables in LDAP using this information. Such tool is unfortunately not
+written yet.</p>
+</description>
+ </item>
+
<item>
<title>systemd, an interesting alternative to upstart</title>
<link>http://people.skolelinux.org/pere/blog/systemd__an_interesting_alternative_to_upstart.html</link>
<guid isPermaLink="true">http://people.skolelinux.org/pere/blog/systemd__an_interesting_alternative_to_upstart.html</guid>
<pubDate>Thu, 13 May 2010 22:20:00 +0200</pubDate>
- <description>
-<p>The last few days a new boot system called
+ <description><p>The last few days a new boot system called
<a href="http://www.freedesktop.org/wiki/Software/systemd">systemd</a>
has been
<a href="http://0pointer.de/blog/projects/systemd.html">introduced</a>
</item>
<item>
- <title>Sitesummary tip: Listing MAC address of all clients</title>
- <link>http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Sitesummary_tip__Listing_MAC_address_of_all_clients.html</guid>
- <pubDate>Fri, 14 May 2010 21:10:00 +0200</pubDate>
- <description>
-<p>In the recent Debian Edu versions, the
-<a href="http://wiki.debian.org/DebianEdu/HowTo/SiteSummary">sitesummary
-system</a> is used to keep track of the machines in the school
-network. Each machine will automatically report its status to the
-central server after boot and once per night. The network setup is
-also reported, and using this information it is possible to get the
-MAC address of all network interfaces in the machines. This is useful
-to update the DHCP configuration.</p>
-
-<p>To give some idea how to use sitesummary, here is a one-liner to
-ist all MAC addresses of all machines reporting to sitesummary. Run
-this on the collector host:</p>
+ <title>Parallellizing the boot in Debian Squeeze - ready for wider testing</title>
+ <link>http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Parallellizing_the_boot_in_Debian_Squeeze___ready_for_wider_testing.html</guid>
+ <pubDate>Thu, 6 May 2010 23:25:00 +0200</pubDate>
+ <description><p>These days, the init.d script dependencies in Squeeze are quite
+complete, so complete that it is actually possible to run all the
+init.d scripts in parallell based on these dependencies. If you want
+to test your Squeeze system, make sure
+<a href="http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot">dependency
+based boot sequencing</a> is enabled, and add this line to
+/etc/default/rcS:</p>
<blockquote><pre>
-perl -MSiteSummary -e 'for_all_hosts(sub { print join(" ", get_macaddresses(shift)), "\n"; });'
+CONCURRENCY=makefile
</pre></blockquote>
-<p>This will list all MAC addresses assosiated with all machine, one
-line per machine and with space between the MAC addresses.</p>
+<p>That is it. It will cause sysv-rc to use the startpar tool to run
+scripts in parallel using the dependency information stored in
+/etc/init.d/.depend.boot, /etc/init.d/.depend.start and
+/etc/init.d/.depend.stop to order the scripts. Startpar is configured
+to try to start the kdm and gdm scripts as early as possible, and will
+start the facilities required by kdm or gdm as early as possible to
+make this happen.</p>
-<p>To allow system administrators easier job at adding static DHCP
-addresses for hosts, it would be possible to extend this to fetch
-machine information from sitesummary and update the DHCP and DNS
-tables in LDAP using this information. Such tool is unfortunately not
-written yet.</p>
+<p>Give it a try, and see if you like the result. If some services
+fail to start properly, it is most likely because they have incomplete
+init.d script dependencies in their startup script (or some of their
+dependent scripts have incomplete dependencies). Report bugs and get
+the package maintainers to fix it. :)</p>
+
+<p>Running scripts in parallel could be the default in Debian when we
+manage to get the init.d script dependencies complete and correct. I
+expect we will get there in Squeeze+1, if we get manage to test and
+fix the remaining issues.</p>
+
+<p>If you report any problems with dependencies in init.d scripts to
+the BTS, please usertag the report to get it to show up at
+<a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org">the
+list of usertagged bugs related to this</a>.</p>
</description>
</item>
<item>
- <title>Parallellized boot is now the default in Debian/unstable</title>
- <link>http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Parallellized_boot_is_now_the_default_in_Debian_unstable.html</guid>
- <pubDate>Fri, 14 May 2010 22:40:00 +0200</pubDate>
- <description>
-<p>Since this evening, parallel booting is the default in
-Debian/unstable for machines using dependency based boot sequencing.
-Apparently the testing of concurrent booting has been wider than
-expected, if I am to believe the
-<a href="http://lists.debian.org/debian-devel/2010/05/msg00122.html">input
-on debian-devel@</a>, and I concluded a few days ago to move forward
-with the feature this weekend, to give us some time to detect any
-remaining problems before Squeeze is frozen. If serious problems are
-detected, it is simple to change the default back to sequential boot.
-The upload of the new sysvinit package also activate a new upstream
-version.</p>
+ <title>Forcing new users to change their password on first login</title>
+ <link>http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html</guid>
+ <pubDate>Sun, 2 May 2010 13:47:00 +0200</pubDate>
+ <description><p>One interesting feature in Active Directory, is the ability to
+create a new user with an expired password, and thus force the user to
+change the password on the first login attempt.</p>
-More information about
-<a href="http://wiki.debian.org/LSBInitScripts/DependencyBasedBoot">dependency
-based boot sequencing</a> is available from the Debian wiki. It is
-currently possible to disable parallel booting when one run into
-problems caused by it, by adding this line to /etc/default/rcS:</p>
+<p>I'm not quite sure how to do that with the LDAP setup in Debian
+Edu, but did some initial testing with a local account. The account
+and password aging information is available in /etc/shadow, but
+unfortunately, it is not possible to specify an expiration time for
+passwords, only a maximum age for passwords.</p>
+
+<p>A freshly created account (using adduser test) will have these
+settings in /etc/shadow:</p>
<blockquote><pre>
-CONCURRENCY=none
+root@tjener:~# chage -l test
+Last password change : May 02, 2010
+Password expires : never
+Password inactive : never
+Account expires : never
+Minimum number of days between password change : 0
+Maximum number of days between password change : 99999
+Number of days of warning before password expires : 7
+root@tjener:~#
</pre></blockquote>
-<p>If you report any problems with dependencies in init.d scripts to
-the BTS, please usertag the report to get it to show up at
-<a href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?users=initscripts-ng-devel@lists.alioth.debian.org">the
-list of usertagged bugs related to this</a>.</p>
+<p>The only way I could come up with to create a user with an expired
+account, is to change the date of the last password change to the
+lowest value possible (January 1th 1970), and the maximum password age
+to the difference in days between that date and today. To make it
+simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
+avoid testing if 0 is a valid value).</p>
+
+<p>After using these commands to set it up, it seem to work as
+intended:</p>
+
+<blockquote><pre>
+root@tjener:~# chage -d 1 test; chage -M 10950 test
+root@tjener:~# chage -l test
+Last password change : Jan 02, 1970
+Password expires : never
+Password inactive : never
+Account expires : never
+Minimum number of days between password change : 0
+Maximum number of days between password change : 10950
+Number of days of warning before password expires : 7
+root@tjener:~#
+</pre></blockquote>
+
+<p>So far I have tested this with ssh and console, and kdm (in
+Squeeze) login, and all ask for a new password before login in the
+user (with ssh, I was thrown out and had to log in again).</p>
+
+<p>Perhaps we should set up something similar for Debian Edu, to make
+sure only the user itself have the account password?</p>
+
+<p>If you want to comment on or help out with implementing this for
+Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
+
+<p>Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
+shadow(8) page in Debian/testing now state that setting the date of
+last password change to zero (0) will force the password to be changed
+on the first login. This was not mentioned in the manual in Lenny, so
+I did not notice this in my initial testing. I have tested it on
+Squeeze, and '<tt>chage -d 0 username</tt>' do work there. I have not
+tested it on Lenny yet.</p>
+
+<p>Update 2010-05-02-19:05: Jim Paris tells me via email that an
+equivalent command to expire a password is '<tt>passwd -e
+username</tt>', which insert zero into the date of the last password
+change.</p>
</description>
</item>
projects / homepage.git / blobdiff