]> pere.pagekite.me Git - homepage.git/blob - blog/archive/2010/05/index.html
Generated.
[homepage.git] / blog / archive / 2010 / 05 / index.html
1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html>
4 <head>
5 <title>Petter Reinholdtsen: entries from May 2010</title>
6 <link rel="stylesheet" type="text/css" media="screen" href="../../../style.css">
7 <link rel="alternate" title="RSS Feed" href="05.rss" type="application/rss+xml">
8 </head>
9 <body>
10 <!-- XML FEED -->
11
12 <div class="title">
13 <h1>
14 <a href="../../../">Petter Reinholdtsen</a>
15
16 </h1>
17
18 </div>
19
20 <p>Entries from May 2010.</p>
21
22
23 <div class="entry">
24 <div class="title">
25 <a href="../../../Forcing_new_users_to_change_their_password_on_first_login.html">Forcing new users to change their password on first login</a>
26 </div>
27 <div class="date">
28 2010-05-02 13:47
29 </div>
30
31 <div class="body">
32
33 <p>One interesting feature in Active Directory, is the ability to
34 create a new user with an expired password, and thus force the user to
35 change the password on the first login attempt.</p>
36
37 <p>I'm not quite sure how to do that with the LDAP setup in Debian
38 Edu, but did some initial testing with a local account. The account
39 and password aging information is available in /etc/shadow, but
40 unfortunately, it is not possible to specify an expiration time for
41 passwords, only a maximum age for passwords.</p>
42
43 <p>A freshly created account (using adduser test) will have these
44 settings in /etc/shadow:</p>
45
46 <blockquote><pre>
47 root@tjener:~# chage -l test
48 Last password change : May 02, 2010
49 Password expires : never
50 Password inactive : never
51 Account expires : never
52 Minimum number of days between password change : 0
53 Maximum number of days between password change : 99999
54 Number of days of warning before password expires : 7
55 root@tjener:~#
56 </pre></blockquote>
57
58 <p>The only way I could come up with to create a user with an expired
59 account, is to change the date of the last password change to the
60 lowest value possible (January 1th 1970), and the maximum password age
61 to the difference in days between that date and today. To make it
62 simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
63 avoid testing if 0 is a valid value).</p>
64
65 <p>After using these commands to set it up, it seem to work as
66 intended:</p>
67
68 <blockquote><pre>
69 root@tjener:~# chage -d 1 test; chage -M 10950 test
70 root@tjener:~# chage -l test
71 Last password change : Jan 02, 1970
72 Password expires : never
73 Password inactive : never
74 Account expires : never
75 Minimum number of days between password change : 0
76 Maximum number of days between password change : 10950
77 Number of days of warning before password expires : 7
78 root@tjener:~#
79 </pre></blockquote>
80
81 <p>So far I have tested this with ssh and console, and kdm (in
82 Squeeze) login, and all ask for a new password before login in the
83 user (with ssh, I was thrown out and had to log in again).</p>
84
85 <p>Perhaps we should set up something similar for Debian Edu, to make
86 sure only the user itself have the account password?</p>
87
88 <p>If you want to comment on or help out with implementing this for
89 Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
90
91 <p>Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
92 shadow(8) page in Debian/testing now state that setting the date of
93 last password change to zero (0) will force the password to be changed
94 on the first login. This was not mentioned in the manual in Lenny, so
95 I did not notice this in my initial testing. I have tested it on
96 Squeeze, and '<tt>chage -d 0 username</tt>' do work there. I have not
97 tested it on Lenny yet.</p>
98
99 </div>
100 <div class="tags">
101
102
103
104 Tags: <a href="../../../tags/debian edu">debian edu</a>, <a href="../../../tags/english">english</a>, <a href="../../../tags/nuug">nuug</a>, <a href="../../../tags/sikkerhet">sikkerhet</a>.
105
106 </div>
107 </div>
108 <div class="padding"></div>
109
110 <p style="text-align: right;"><a href="05.rss"><img src="../../../xml.gif" alt="RSS Feed" width="36" height="14"></a></p>
111
112
113
114 <div id="sidebar">
115
116 <h2>Archive</h2>
117 <ul>
118
119 <li>2010
120 <ul>
121
122 <li><a href="../../../archive/2010/01/">January (2)</a></li>
123
124 <li><a href="../../../archive/2010/02/">February (1)</a></li>
125
126 <li><a href="../../../archive/2010/03/">March (3)</a></li>
127
128 <li><a href="../../../archive/2010/04/">April (3)</a></li>
129
130 <li><a href="../../../archive/2010/05/">May (1)</a></li>
131
132 </ul></li>
133
134 <li>2009
135 <ul>
136
137 <li><a href="../../../archive/2009/01/">January (8)</a></li>
138
139 <li><a href="../../../archive/2009/02/">February (8)</a></li>
140
141 <li><a href="../../../archive/2009/03/">March (12)</a></li>
142
143 <li><a href="../../../archive/2009/04/">April (10)</a></li>
144
145 <li><a href="../../../archive/2009/05/">May (9)</a></li>
146
147 <li><a href="../../../archive/2009/06/">June (3)</a></li>
148
149 <li><a href="../../../archive/2009/07/">July (4)</a></li>
150
151 <li><a href="../../../archive/2009/08/">August (3)</a></li>
152
153 <li><a href="../../../archive/2009/09/">September (1)</a></li>
154
155 <li><a href="../../../archive/2009/10/">October (2)</a></li>
156
157 <li><a href="../../../archive/2009/11/">November (3)</a></li>
158
159 <li><a href="../../../archive/2009/12/">December (3)</a></li>
160
161 </ul></li>
162
163 <li>2008
164 <ul>
165
166 <li><a href="../../../archive/2008/11/">November (5)</a></li>
167
168 <li><a href="../../../archive/2008/12/">December (7)</a></li>
169
170 </ul></li>
171
172 </ul>
173
174
175
176 <h2>Tags</h2>
177 <ul>
178
179 <li><a href="../../../tags/3d-printer">3d-printer (11)</a></li>
180
181 <li><a href="../../../tags/amiga">amiga (1)</a></li>
182
183 <li><a href="../../../tags/aros">aros (1)</a></li>
184
185 <li><a href="../../../tags/debian">debian (14)</a></li>
186
187 <li><a href="../../../tags/debian edu">debian edu (15)</a></li>
188
189 <li><a href="../../../tags/english">english (24)</a></li>
190
191 <li><a href="../../../tags/fiksgatami">fiksgatami (1)</a></li>
192
193 <li><a href="../../../tags/fildeling">fildeling (6)</a></li>
194
195 <li><a href="../../../tags/kart">kart (2)</a></li>
196
197 <li><a href="../../../tags/lenker">lenker (1)</a></li>
198
199 <li><a href="../../../tags/ltsp">ltsp (1)</a></li>
200
201 <li><a href="../../../tags/multimedia">multimedia (5)</a></li>
202
203 <li><a href="../../../tags/norsk">norsk (64)</a></li>
204
205 <li><a href="../../../tags/nuug">nuug (71)</a></li>
206
207 <li><a href="../../../tags/opphavsrett">opphavsrett (12)</a></li>
208
209 <li><a href="../../../tags/personvern">personvern (11)</a></li>
210
211 <li><a href="../../../tags/reprap">reprap (10)</a></li>
212
213 <li><a href="../../../tags/rss">rss (1)</a></li>
214
215 <li><a href="../../../tags/sikkerhet">sikkerhet (7)</a></li>
216
217 <li><a href="../../../tags/standard">standard (11)</a></li>
218
219 <li><a href="../../../tags/stavekontroll">stavekontroll (1)</a></li>
220
221 <li><a href="../../../tags/video">video (10)</a></li>
222
223 <li><a href="../../../tags/vitenskap">vitenskap (1)</a></li>
224
225 <li><a href="../../../tags/web">web (6)</a></li>
226
227 </ul>
228
229 </div>
230 </body>
231 </html>