1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/'
>
4 <title>Petter Reinholdtsen - Entries from May
2010</title>
5 <description>Entries from May
2010</description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
10 <title>Forcing new users to change their password on first login
</title>
11 <link>http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Forcing_new_users_to_change_their_password_on_first_login.html
</guid>
13 <pubDate>Sun,
2 May
2010 13:
47:
00 +
0200</pubDate>
15 <p
>One interesting feature in Active Directory, is the ability to
16 create a new user with an expired password, and thus force the user to
17 change the password on the first login attempt.
</p
>
19 <p
>I
'm not quite sure how to do that with the LDAP setup in Debian
20 Edu, but did some initial testing with a local account. The account
21 and password aging information is available in /etc/shadow, but
22 unfortunately, it is not possible to specify an expiration time for
23 passwords, only a maximum age for passwords.
</p
>
25 <p
>A freshly created account (using adduser test) will have these
26 settings in /etc/shadow:
</p
>
28 <blockquote
><pre
>
29 root@tjener:~# chage -l test
30 Last password change : May
02,
2010
31 Password expires : never
32 Password inactive : never
33 Account expires : never
34 Minimum number of days between password change :
0
35 Maximum number of days between password change :
99999
36 Number of days of warning before password expires :
7
38 </pre
></blockquote
>
40 <p
>The only way I could come up with to create a user with an expired
41 account, is to change the date of the last password change to the
42 lowest value possible (January
1th
1970), and the maximum password age
43 to the difference in days between that date and today. To make it
44 simple, I went for
30 years (
30 *
365 =
10950) and January
2th (to
45 avoid testing if
0 is a valid value).
</p
>
47 <p
>After using these commands to set it up, it seem to work as
50 <blockquote
><pre
>
51 root@tjener:~# chage -d
1 test; chage -M
10950 test
52 root@tjener:~# chage -l test
53 Last password change : Jan
02,
1970
54 Password expires : never
55 Password inactive : never
56 Account expires : never
57 Minimum number of days between password change :
0
58 Maximum number of days between password change :
10950
59 Number of days of warning before password expires :
7
61 </pre
></blockquote
>
63 <p
>So far I have tested this with ssh and console, and kdm (in
64 Squeeze) login, and all ask for a new password before login in the
65 user (with ssh, I was thrown out and had to log in again).
</p
>
67 <p
>Perhaps we should set up something similar for Debian Edu, to make
68 sure only the user itself have the account password?
</p
>
70 <p
>If you want to comment on or help out with implementing this for
71 Debian Edu, please contact us on debian-edu@lists.debian.org.
</p
>
73 <p
>Update
2010-
05-
02 17:
20: Paul Tötterman tells me on IRC that the
74 shadow(
8) page in Debian/testing now state that setting the date of
75 last password change to zero (
0) will force the password to be changed
76 on the first login. This was not mentioned in the manual in Lenny, so
77 I did not notice this in my initial testing. I have tested it on
78 Squeeze, and
'<tt
>chage -d
0 username
</tt
>' do work there. I have not
79 tested it on Lenny yet.
</p
>
81 <p
>Update
2010-
05-
02-
19:
05: Jim Paris tells me via email that an
82 equivalent command to expire a password is
'<tt
>passwd -e
83 username
</tt
>', which insert zero into the date of the last password
projects / homepage.git / blob