X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/503eaa90b477154d9c9caeb7258eaf45ff05fcc7..18757344c53e986ec6b86c54a64f4e202228aba4:/blog/archive/2010/05/index.html diff --git a/blog/archive/2010/05/index.html b/blog/archive/2010/05/index.html index fc51f8f8a4..1e02020516 100644 --- a/blog/archive/2010/05/index.html +++ b/blog/archive/2010/05/index.html @@ -23,143 +23,57 @@
- Forcing new users to change their password on first login + Parallellized boot seem to hold up well in Debian/testing
- 2nd May 2010 + 27th May 2010
-

One interesting feature in Active Directory, is the ability to -create a new user with an expired password, and thus force the user to -change the password on the first login attempt.

- -

I'm not quite sure how to do that with the LDAP setup in Debian -Edu, but did some initial testing with a local account. The account -and password aging information is available in /etc/shadow, but -unfortunately, it is not possible to specify an expiration time for -passwords, only a maximum age for passwords.

- -

A freshly created account (using adduser test) will have these -settings in /etc/shadow:

- -
-root@tjener:~# chage -l test
-Last password change                                    : May 02, 2010
-Password expires                                        : never
-Password inactive                                       : never
-Account expires                                         : never
-Minimum number of days between password change          : 0
-Maximum number of days between password change          : 99999
-Number of days of warning before password expires       : 7
-root@tjener:~#
-
- -

The only way I could come up with to create a user with an expired -account, is to change the date of the last password change to the -lowest value possible (January 1th 1970), and the maximum password age -to the difference in days between that date and today. To make it -simple, I went for 30 years (30 * 365 = 10950) and January 2th (to -avoid testing if 0 is a valid value).

- -

After using these commands to set it up, it seem to work as -intended:

- -
-root@tjener:~# chage -d 1 test; chage -M 10950 test
-root@tjener:~# chage -l test
-Last password change                                    : Jan 02, 1970
-Password expires                                        : never
-Password inactive                                       : never
-Account expires                                         : never
-Minimum number of days between password change          : 0
-Maximum number of days between password change          : 10950
-Number of days of warning before password expires       : 7
-root@tjener:~#  
-
- -

So far I have tested this with ssh and console, and kdm (in -Squeeze) login, and all ask for a new password before login in the -user (with ssh, I was thrown out and had to log in again).

- -

Perhaps we should set up something similar for Debian Edu, to make -sure only the user itself have the account password?

- -

If you want to comment on or help out with implementing this for -Debian Edu, please contact us on debian-edu@lists.debian.org.

- -

Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the -shadow(8) page in Debian/testing now state that setting the date of -last password change to zero (0) will force the password to be changed -on the first login. This was not mentioned in the manual in Lenny, so -I did not notice this in my initial testing. I have tested it on -Squeeze, and 'chage -d 0 username' do work there. I have not -tested it on Lenny yet.

+

A few days ago, parallel booting was enabled in Debian/testing. +The feature seem to hold up pretty well, but three fairly serious +issues are known and should be solved: -

Update 2010-05-02-19:05: Jim Paris tells me via email that an -equivalent command to expire a password is 'passwd -e -username', which insert zero into the date of the last password -change.

+

-
- - - Tags: debian edu, english, nuug, sikkerhet. - - -
-
-
- -
-
- Parallellizing the boot in Debian Squeeze - ready for wider testing -
-
- 6th May 2010 -
-
-

These days, the init.d script dependencies in Squeeze are quite -complete, so complete that it is actually possible to run all the -init.d scripts in parallell based on these dependencies. If you want -to test your Squeeze system, make sure -dependency -based boot sequencing is enabled, and add this line to -/etc/default/rcS:

+
  • The wicd package seen to +break NFS mounting and +network setup when +parallel booting is enabled. No idea why, but the wicd maintainer +seem to be on the case.
    • -
    -CONCURRENCY=makefile
-
    +
  • The nvidia X driver seem to +have a race condition +triggered more easily when parallel booting is in effect. The +maintainer is on the case.
    • -

    That is it. It will cause sysv-rc to use the startpar tool to run -scripts in parallel using the dependency information stored in -/etc/init.d/.depend.boot, /etc/init.d/.depend.start and -/etc/init.d/.depend.stop to order the scripts. Startpar is configured -to try to start the kdm and gdm scripts as early as possible, and will -start the facilities required by kdm or gdm as early as possible to -make this happen.

    +
  • The sysv-rc package fail to properly enable dependency based boot +sequencing (the shutdown is broken) when old file-rc users +try to switch back to +sysv-rc. One way to solve it would be for file-rc to create +/etc/init.d/.legacy-bootordering, and another is to try to make +sysv-rc more robust. Will investigate some more and probably upload a +workaround in sysv-rc to help those trying to move from file-rc to +sysv-rc get a working shutdown.
    • -

    Give it a try, and see if you like the result. If some services -fail to start properly, it is most likely because they have incomplete -init.d script dependencies in their startup script (or some of their -dependent scripts have incomplete dependencies). Report bugs and get -the package maintainers to fix it. :)

    +

    -

    Running scripts in parallel could be the default in Debian when we -manage to get the init.d script dependencies complete and correct. I -expect we will get there in Squeeze+1, if we get manage to test and -fix the remaining issues.

    +

    All in all not many surprising issues, and all of them seem +solvable before Squeeze is released. In addition to these there are +some packages with bugs in their dependencies and run level settings, +which I expect will be fixed in a reasonable time span.

    If you report any problems with dependencies in init.d scripts to the BTS, please usertag the report to get it to show up at the list of usertagged bugs related to this.

    +

    Update: Correct bug number to file-rc issue.

    +
    - Tags: bootsystem, debian, english. + Tags: bootsystem, debian, debian edu, english.
    @@ -168,50 +82,59 @@ list of usertagged bugs related to this.

    - systemd, an interesting alternative to upstart + More flexible firmware handling in debian-installer
    - 13th May 2010 + 22nd May 2010
    -

    The last few days a new boot system called -systemd -has been -introduced +

    After a long break from debian-installer development, I finally +found time today to return to the project. Having to spend less time +working dependency based boot in debian, as it is almost complete now, +definitely helped freeing some time.

    -to the free software world. I have not yet had time to play around -with it, but it seem to be a very interesting alternative to -upstart, and might prove to be -a good alternative for Debian when we are able to switch to an event -based boot system. Tollef is -in the process of getting -systemd into Debian, and I look forward to seeing how well it work. I -like the fact that systemd handles init.d scripts with dependency -information natively, allowing them to run in parallel where upstart -at the moment do not.

    +

    A while back, I ran into a problem while working on Debian Edu. We +include some firmware packages on the Debian Edu CDs, those needed to +get disk and network controllers working. Without having these +firmware packages available during installation, it is impossible to +install Debian Edu on the given machine, and because our target group +are non-technical people, asking them to provide firmware packages on +an external medium is a support pain. Initially, I expected it to be +enough to include the firmware packages on the CD to get +debian-installer to find and use them. This proved to be wrong. +Next, I hoped it was enough to symlink the relevant firmware packages +to some useful location on the CD (tried /cdrom/ and +/cdrom/firmware/). This also proved to not work, and at this point I +found time to look at the debian-installer code to figure out what was +going to work.

    -

    Unfortunately do systemd have the same problem as upstart regarding -platform support. It only work on recent Linux kernels, and also need -some new kernel features enabled to function properly. This means -kFreeBSD and Hurd ports of Debian will need a port or a different boot -system. Not sure how that will be handled if systemd proves to be the -way forward.

    +

    The firmware loading code is in the hw-detect package, and a closer +look revealed that it would only look for firmware packages outside +the installation media, so the CD was never checked for firmware +packages. It would only check USB sticks, floppies and other +"external" media devices. Today I changed it to also look in the +/cdrom/firmware/ directory on the mounted CD or DVD, which should +solve the problem I ran into with Debian edu. I also changed it to +look in /firmware/, to make sure the installer also find firmware +provided in the initrd when booting the installer via PXE, to allow us +to provide the same feature in the PXE setup included in Debian +Edu.

    -

    In the mean time, based on the -input -on debian-devel@ regarding parallel booting in Debian, I have -decided to enable full parallel booting as the default in Debian as -soon as possible (probably this weekend or early next week), to see if -there are any remaining serious bugs in the init.d dependencies. A -new version of the sysvinit package implementing this change is -already in experimental. If all go well, Squeeze will be released -with parallel booting enabled by default.

    +

    To make sure firmware deb packages with a license questions are not +activated without asking if the license is accepted, I extended +hw-detect to look for preinst scripts in the firmware packages, and +run these before activating the firmware during installation. The +license question is asked using debconf in the preinst, so this should +solve the issue for the firmware packages I have looked at so far.

    + +

    If you want to discuss the details of these features, please +contact us on debian-boot@lists.debian.org.

    - Tags: bootsystem, debian, english, nuug. + Tags: debian, debian edu, english.
    @@ -220,89 +143,72 @@ with parallel booting enabled by default.

    - Sitesummary tip: Listing MAC address of all clients + Magnetstripeinnhold i billetter fra Flytoget og Hurtigruten
    - 14th May 2010 + 21st May 2010
    -

    In the recent Debian Edu versions, the -sitesummary -system is used to keep track of the machines in the school -network. Each machine will automatically report its status to the -central server after boot and once per night. The network setup is -also reported, and using this information it is possible to get the -MAC address of all network interfaces in the machines. This is useful -to update the DHCP configuration.

    +

    For en stund tilbake kjøpte jeg en magnetkortleser for å kunne +titte på hva som er skrevet inn på magnetstripene til ulike kort. Har +ikke hatt tid til å analysere mange kort så langt, men tenkte jeg +skulle dele innholdet på to kort med mine lesere.

    -

    To give some idea how to use sitesummary, here is a one-liner to -ist all MAC addresses of all machines reporting to sitesummary. Run -this on the collector host:

    +

    For noen dager siden tok jeg flyet til Harstad og Hurtigruten til +Bergen. Flytoget fra Oslo S til flyplassen ga meg en billett med +magnetstripe. Påtrykket finner jeg følgende informasjon:

    -
    -perl -MSiteSummary -e 'for_all_hosts(sub { print join(" ", get_macaddresses(shift)), "\n"; });'
-
    +
    +Flytoget Airport Express Train
 
-
    This will list all MAC addresses assosiated with all machine, one
-line per machine and with space between the MAC addresses.
    
+Fra - Til        : Oslo Sentralstasjon
+Kategori         : Voksen
+Pris             : Nok 170,00
+Herav mva. 8,00% : NOK 12,59
+Betaling         : Kontant
+Til - Fra        : Oslo Lufthavn
+Utstedt:         : 08.05.10
+Gyldig Fra-Til   : 08.05.10-07.11.10
+Billetttype      : Enkeltbillett
 
-
    To allow system administrators easier job at adding static DHCP
-addresses for hosts, it would be possible to extend this to fetch
-machine information from sitesummary and update the DHCP and DNS
-tables in LDAP using this information.  Such tool is unfortunately not
-written yet.
    
+102-1015-100508-48382-01-08
+
    -
    -
    - - - Tags: debian, debian edu, english, sitesummary. - - -
    -
    -
    - -
    -
    - Parallellized boot is now the default in Debian/unstable -
    -
    - 14th May 2010 -
    -
    -

    Since this evening, parallel booting is the default in -Debian/unstable for machines using dependency based boot sequencing. -Apparently the testing of concurrent booting has been wider than -expected, if I am to believe the -input -on debian-devel@, and I concluded a few days ago to move forward -with the feature this weekend, to give us some time to detect any -remaining problems before Squeeze is frozen. If serious problems are -detected, it is simple to change the default back to sequential boot. -The upload of the new sysvinit package also activate a new upstream -version.

    +

    På selve magnetstripen er innholdet +;E?+900120011=23250996541068112619257138248441708433322932704083389389062603279671261502492655?. +Aner ikke hva innholdet representerer, og det er lite overlapp mellom +det jeg ser trykket på billetten og det jeg ser av tegn i +magnetstripen. Håper det betyr at de bruker kryptografiske metoder +for å gjøre det vanskelig å forfalske billetter.

    -More information about -dependency -based boot sequencing is available from the Debian wiki. It is -currently possible to disable parallel booting when one run into -problems caused by it, by adding this line to /etc/default/rcS:

    +

    Den andre billetten er fra Hurtigruten, der jeg mistenker at +strekkoden på fronten er mer brukt enn magnetstripen (det var i hvert +fall den biten vi stakk inn i dørlåsen).

    -
    -CONCURRENCY=none
-
    +

    Påtrykket forsiden er følgende:

    -

    If you report any problems with dependencies in init.d scripts to -the BTS, please usertag the report to get it to show up at -the -list of usertagged bugs related to this.

    +
    +Romnummer 727
+Hurtigruten
+Midnatsol
+Reinholdtsen
+Petter
+Bookingno: SAX69   0742193
+Harstad-Bergen
+Dep: 09.05.2010 Arr: 12.05.2010
+Lugar fra Risøyhamn
+Kost: FRO=4
+
    + +

    På selve magnetstripen er innholdet +;1316010007421930=00000000000000000000?+E?. Heller ikke her +ser jeg mye korrespondanse mellom påtrykk og magnetstripe.

    - Tags: bootsystem, debian, debian edu, english. + Tags: norsk, nuug, sikkerhet.
    @@ -382,72 +288,89 @@ please contact us on debian-edu@lists.debian.org.

    - Magnetstripeinnhold i billetter fra Flytoget og Hurtigruten + Parallellized boot is now the default in Debian/unstable
    - 21st May 2010 + 14th May 2010
    -

    For en stund tilbake kjøpte jeg en magnetkortleser for å kunne -titte på hva som er skrevet inn på magnetstripene til ulike kort. Har -ikke hatt tid til å analysere mange kort så langt, men tenkte jeg -skulle dele innholdet på to kort med mine lesere.

    - -

    For noen dager siden tok jeg flyet til Harstad og Hurtigruten til -Bergen. Flytoget fra Oslo S til flyplassen ga meg en billett med -magnetstripe. Påtrykket finner jeg følgende informasjon:

    +

    Since this evening, parallel booting is the default in +Debian/unstable for machines using dependency based boot sequencing. +Apparently the testing of concurrent booting has been wider than +expected, if I am to believe the +input +on debian-devel@, and I concluded a few days ago to move forward +with the feature this weekend, to give us some time to detect any +remaining problems before Squeeze is frozen. If serious problems are +detected, it is simple to change the default back to sequential boot. +The upload of the new sysvinit package also activate a new upstream +version.

    -
    -Flytoget Airport Express Train
+More information about
+dependency
+based boot sequencing is available from the Debian wiki.  It is
+currently possible to disable parallel booting when one run into
+problems caused by it, by adding this line to /etc/default/rcS:
    
 
-Fra - Til        : Oslo Sentralstasjon
-Kategori         : Voksen
-Pris             : Nok 170,00
-Herav mva. 8,00% : NOK 12,59
-Betaling         : Kontant
-Til - Fra        : Oslo Lufthavn
-Utstedt:         : 08.05.10
-Gyldig Fra-Til   : 08.05.10-07.11.10
-Billetttype      : Enkeltbillett
+
    +CONCURRENCY=none
+
    
 
-102-1015-100508-48382-01-08
-
    +

    If you report any problems with dependencies in init.d scripts to +the BTS, please usertag the report to get it to show up at +the +list of usertagged bugs related to this.

    -

    På selve magnetstripen er innholdet -;E?+900120011=23250996541068112619257138248441708433322932704083389389062603279671261502492655?. -Aner ikke hva innholdet representerer, og det er lite overlapp mellom -det jeg ser trykket på billetten og det jeg ser av tegn i -magnetstripen. Håper det betyr at de bruker kryptografiske metoder -for å gjøre det vanskelig å forfalske billetter.

    +
    +
    + + + Tags: bootsystem, debian, debian edu, english. + + +
    +
    +
    + +
    +
    + Sitesummary tip: Listing MAC address of all clients +
    +
    + 14th May 2010 +
    +
    +

    In the recent Debian Edu versions, the +sitesummary +system is used to keep track of the machines in the school +network. Each machine will automatically report its status to the +central server after boot and once per night. The network setup is +also reported, and using this information it is possible to get the +MAC address of all network interfaces in the machines. This is useful +to update the DHCP configuration.

    -

    Den andre billetten er fra Hurtigruten, der jeg mistenker at -strekkoden på fronten er mer brukt enn magnetstripen (det var i hvert -fall den biten vi stakk inn i dørlåsen).

    +

    To give some idea how to use sitesummary, here is a one-liner to +ist all MAC addresses of all machines reporting to sitesummary. Run +this on the collector host:

    -

    Påtrykket forsiden er følgende:

    +
    +perl -MSiteSummary -e 'for_all_hosts(sub { print join(" ", get_macaddresses(shift)), "\n"; });'
+
    -
    -Romnummer 727
-Hurtigruten
-Midnatsol
-Reinholdtsen
-Petter
-Bookingno: SAX69   0742193
-Harstad-Bergen
-Dep: 09.05.2010 Arr: 12.05.2010
-Lugar fra Risøyhamn
-Kost: FRO=4
-
    +

    This will list all MAC addresses assosiated with all machine, one +line per machine and with space between the MAC addresses.

    -

    På selve magnetstripen er innholdet -;1316010007421930=00000000000000000000?+E?. Heller ikke her -ser jeg mye korrespondanse mellom påtrykk og magnetstripe.

    +

    To allow system administrators easier job at adding static DHCP +addresses for hosts, it would be possible to extend this to fetch +machine information from sitesummary and update the DHCP and DNS +tables in LDAP using this information. Such tool is unfortunately not +written yet.

    - Tags: norsk, nuug, sikkerhet. + Tags: debian, debian edu, english, sitesummary.
    @@ -456,59 +379,50 @@ ser jeg mye korrespondanse mellom påtrykk og magnetstripe.

    - More flexible firmware handling in debian-installer + systemd, an interesting alternative to upstart
    - 22nd May 2010 + 13th May 2010
    -

    After a long break from debian-installer development, I finally -found time today to return to the project. Having to spend less time -working dependency based boot in debian, as it is almost complete now, -definitely helped freeing some time.

    - -

    A while back, I ran into a problem while working on Debian Edu. We -include some firmware packages on the Debian Edu CDs, those needed to -get disk and network controllers working. Without having these -firmware packages available during installation, it is impossible to -install Debian Edu on the given machine, and because our target group -are non-technical people, asking them to provide firmware packages on -an external medium is a support pain. Initially, I expected it to be -enough to include the firmware packages on the CD to get -debian-installer to find and use them. This proved to be wrong. -Next, I hoped it was enough to symlink the relevant firmware packages -to some useful location on the CD (tried /cdrom/ and -/cdrom/firmware/). This also proved to not work, and at this point I -found time to look at the debian-installer code to figure out what was -going to work.

    +

    The last few days a new boot system called +systemd +has been +introduced -

    The firmware loading code is in the hw-detect package, and a closer -look revealed that it would only look for firmware packages outside -the installation media, so the CD was never checked for firmware -packages. It would only check USB sticks, floppies and other -"external" media devices. Today I changed it to also look in the -/cdrom/firmware/ directory on the mounted CD or DVD, which should -solve the problem I ran into with Debian edu. I also changed it to -look in /firmware/, to make sure the installer also find firmware -provided in the initrd when booting the installer via PXE, to allow us -to provide the same feature in the PXE setup included in Debian -Edu.

    +to the free software world. I have not yet had time to play around +with it, but it seem to be a very interesting alternative to +upstart, and might prove to be +a good alternative for Debian when we are able to switch to an event +based boot system. Tollef is +in the process of getting +systemd into Debian, and I look forward to seeing how well it work. I +like the fact that systemd handles init.d scripts with dependency +information natively, allowing them to run in parallel where upstart +at the moment do not.

    -

    To make sure firmware deb packages with a license questions are not -activated without asking if the license is accepted, I extended -hw-detect to look for preinst scripts in the firmware packages, and -run these before activating the firmware during installation. The -license question is asked using debconf in the preinst, so this should -solve the issue for the firmware packages I have looked at so far.

    +

    Unfortunately do systemd have the same problem as upstart regarding +platform support. It only work on recent Linux kernels, and also need +some new kernel features enabled to function properly. This means +kFreeBSD and Hurd ports of Debian will need a port or a different boot +system. Not sure how that will be handled if systemd proves to be the +way forward.

    -

    If you want to discuss the details of these features, please -contact us on debian-boot@lists.debian.org.

    +

    In the mean time, based on the +input +on debian-devel@ regarding parallel booting in Debian, I have +decided to enable full parallel booting as the default in Debian as +soon as possible (probably this weekend or early next week), to see if +there are any remaining serious bugs in the init.d dependencies. A +new version of the sysvinit package implementing this change is +already in experimental. If all go well, Squeeze will be released +with parallel booting enabled by default.

    - Tags: debian, debian edu, english. + Tags: bootsystem, debian, english, nuug.
    @@ -517,57 +431,143 @@ contact us on debian-boot@lists.debian.org.

    - Parallellized boot seem to hold up well in Debian/testing + Parallellizing the boot in Debian Squeeze - ready for wider testing
    - 27th May 2010 + 6th May 2010
    -

    A few days ago, parallel booting was enabled in Debian/testing. -The feature seem to hold up pretty well, but three fairly serious -issues are known and should be solved: - -

      - -
    • The wicd package seen to -break NFS mounting and -network setup when -parallel booting is enabled. No idea why, but the wicd maintainer -seem to be on the case.
      • +

      These days, the init.d script dependencies in Squeeze are quite +complete, so complete that it is actually possible to run all the +init.d scripts in parallell based on these dependencies. If you want +to test your Squeeze system, make sure +dependency +based boot sequencing is enabled, and add this line to +/etc/default/rcS:

      -
    • The nvidia X driver seem to -have a race condition -triggered more easily when parallel booting is in effect. The -maintainer is on the case.
      • +
      +CONCURRENCY=makefile
+
      -
    • The sysv-rc package fail to properly enable dependency based boot -sequencing (the shutdown is broken) when old file-rc users -try to switch back to -sysv-rc. One way to solve it would be for file-rc to create -/etc/init.d/.legacy-bootordering, and another is to try to make -sysv-rc more robust. Will investigate some more and probably upload a -workaround in sysv-rc to help those trying to move from file-rc to -sysv-rc get a working shutdown.
      • +

      That is it. It will cause sysv-rc to use the startpar tool to run +scripts in parallel using the dependency information stored in +/etc/init.d/.depend.boot, /etc/init.d/.depend.start and +/etc/init.d/.depend.stop to order the scripts. Startpar is configured +to try to start the kdm and gdm scripts as early as possible, and will +start the facilities required by kdm or gdm as early as possible to +make this happen.

      -

    +

    Give it a try, and see if you like the result. If some services +fail to start properly, it is most likely because they have incomplete +init.d script dependencies in their startup script (or some of their +dependent scripts have incomplete dependencies). Report bugs and get +the package maintainers to fix it. :)

    -

    All in all not many surprising issues, and all of them seem -solvable before Squeeze is released. In addition to these there are -some packages with bugs in their dependencies and run level settings, -which I expect will be fixed in a reasonable time span.

    +

    Running scripts in parallel could be the default in Debian when we +manage to get the init.d script dependencies complete and correct. I +expect we will get there in Squeeze+1, if we get manage to test and +fix the remaining issues.

    If you report any problems with dependencies in init.d scripts to the BTS, please usertag the report to get it to show up at the list of usertagged bugs related to this.

    -

    Update: Correct bug number to file-rc issue.

    +
    +
    + + + Tags: bootsystem, debian, english. + + +
    +
    +
    + +
    +
    + Forcing new users to change their password on first login +
    +
    + 2nd May 2010 +
    +
    +

    One interesting feature in Active Directory, is the ability to +create a new user with an expired password, and thus force the user to +change the password on the first login attempt.

    + +

    I'm not quite sure how to do that with the LDAP setup in Debian +Edu, but did some initial testing with a local account. The account +and password aging information is available in /etc/shadow, but +unfortunately, it is not possible to specify an expiration time for +passwords, only a maximum age for passwords.

    + +

    A freshly created account (using adduser test) will have these +settings in /etc/shadow:

    + +
    +root@tjener:~# chage -l test
+Last password change                                    : May 02, 2010
+Password expires                                        : never
+Password inactive                                       : never
+Account expires                                         : never
+Minimum number of days between password change          : 0
+Maximum number of days between password change          : 99999
+Number of days of warning before password expires       : 7
+root@tjener:~#
+
    + +

    The only way I could come up with to create a user with an expired +account, is to change the date of the last password change to the +lowest value possible (January 1th 1970), and the maximum password age +to the difference in days between that date and today. To make it +simple, I went for 30 years (30 * 365 = 10950) and January 2th (to +avoid testing if 0 is a valid value).

    + +

    After using these commands to set it up, it seem to work as +intended:

    + +
    +root@tjener:~# chage -d 1 test; chage -M 10950 test
+root@tjener:~# chage -l test
+Last password change                                    : Jan 02, 1970
+Password expires                                        : never
+Password inactive                                       : never
+Account expires                                         : never
+Minimum number of days between password change          : 0
+Maximum number of days between password change          : 10950
+Number of days of warning before password expires       : 7
+root@tjener:~#  
+
    + +

    So far I have tested this with ssh and console, and kdm (in +Squeeze) login, and all ask for a new password before login in the +user (with ssh, I was thrown out and had to log in again).

    + +

    Perhaps we should set up something similar for Debian Edu, to make +sure only the user itself have the account password?

    + +

    If you want to comment on or help out with implementing this for +Debian Edu, please contact us on debian-edu@lists.debian.org.

    + +

    Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the +shadow(8) page in Debian/testing now state that setting the date of +last password change to zero (0) will force the password to be changed +on the first login. This was not mentioned in the manual in Lenny, so +I did not notice this in my initial testing. I have tested it on +Squeeze, and 'chage -d 0 username' do work there. I have not +tested it on Lenny yet.

    + +

    Update 2010-05-02-19:05: Jim Paris tells me via email that an +equivalent command to expire a password is 'passwd -e +username', which insert zero into the date of the last password +change.

    - Tags: bootsystem, debian, debian edu, english. + Tags: debian edu, english, nuug, sikkerhet.
    @@ -597,7 +597,13 @@ list of usertagged bugs related to this.

  • June (20)
    • -
  • July (3)
    • +
  • July (17)
    • + +
  • August (6)
    • + +
  • September (9)
    • + +
  • October (16)
    • @@ -716,25 +722,29 @@ list of usertagged bugs related to this.

  • bsa (2)
    • -
  • debian (55)
    • +
  • debian (57)
    • -
  • debian edu (106)
    • +
  • debian edu (115)
  • digistan (9)
    • +
  • docbook (7)
    • +
  • drivstoffpriser (4)
    • -
  • english (137)
    • +
  • english (156)
    • -
  • fiksgatami (16)
    • +
  • fiksgatami (19)
  • fildeling (12)
    • -
  • frikanalen (5)
    • +
  • freeculture (8)
    • + +
  • frikanalen (8)
    • -
  • intervju (29)
    • +
  • intervju (31)
    • -
  • kart (16)
    • +
  • kart (17)
  • ldap (8)
    • @@ -742,19 +752,19 @@ list of usertagged bugs related to this.

  • ltsp (1)
    • -
  • multimedia (21)
    • +
  • multimedia (25)
    • -
  • norsk (183)
    • +
  • norsk (209)
    • -
  • nuug (134)
    • +
  • nuug (145)
    • -
  • offentlig innsyn (3)
    • +
  • offentlig innsyn (6)
  • open311 (2)
    • -
  • opphavsrett (30)
    • +
  • opphavsrett (37)
    • -
  • personvern (48)
    • +
  • personvern (54)
  • raid (1)
    • @@ -770,27 +780,27 @@ list of usertagged bugs related to this.

  • scraperwiki (2)
    • -
  • sikkerhet (23)
    • +
  • sikkerhet (24)
  • sitesummary (4)
    • -
  • skepsis (1)
    • +
  • skepsis (4)
    • -
  • standard (34)
    • +
  • standard (38)
    • -
  • stavekontroll (1)
    • +
  • stavekontroll (3)
    • -
  • stortinget (4)
    • +
  • stortinget (5)
    • -
  • surveillance (10)
    • +
  • surveillance (11)
    • -
  • valg (6)
    • +
  • valg (7)
    • -
  • video (30)
    • +
  • video (35)
    • -
  • vitenskap (1)
    • +
  • vitenskap (4)
    • -
  • web (24)
    • +
  • web (26)