]> pere.pagekite.me Git - homepage.git/blob - blog/Forcing_new_users_to_change_their_password_on_first_login.html
projects / homepage.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Generated.
[homepage.git] / blog / Forcing_new_users_to_change_their_password_on_first_login.html
1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
4 <head>
5 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
6 <title>Petter Reinholdtsen: Forcing new users to change their password on first login</title>
7 <link rel="stylesheet" type="text/css" media="screen" href="http://people.skolelinux.org/pere/blog/style.css" />
8 <link rel="stylesheet" type="text/css" media="screen" href="http://people.skolelinux.org/pere/blog/vim.css" />
9 </head>
10 <body>
11 <div class="title">
12 <h1>
13 <a href="http://people.skolelinux.org/pere/blog/">Petter Reinholdtsen</a>
14
15 </h1>
16
17 </div>
18
19
20 <div class="entry">
21 <div class="title">Forcing new users to change their password on first login</div>
22 <div class="date"> 2nd May 2010</div>
23 <div class="body"><p>One interesting feature in Active Directory, is the ability to
24 create a new user with an expired password, and thus force the user to
25 change the password on the first login attempt.</p>
26
27 <p>I'm not quite sure how to do that with the LDAP setup in Debian
28 Edu, but did some initial testing with a local account. The account
29 and password aging information is available in /etc/shadow, but
30 unfortunately, it is not possible to specify an expiration time for
31 passwords, only a maximum age for passwords.</p>
32
33 <p>A freshly created account (using adduser test) will have these
34 settings in /etc/shadow:</p>
35
36 <blockquote><pre>
37 root@tjener:~# chage -l test
38 Last password change : May 02, 2010
39 Password expires : never
40 Password inactive : never
41 Account expires : never
42 Minimum number of days between password change : 0
43 Maximum number of days between password change : 99999
44 Number of days of warning before password expires : 7
45 root@tjener:~#
46 </pre></blockquote>
47
48 <p>The only way I could come up with to create a user with an expired
49 account, is to change the date of the last password change to the
50 lowest value possible (January 1th 1970), and the maximum password age
51 to the difference in days between that date and today. To make it
52 simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
53 avoid testing if 0 is a valid value).</p>
54
55 <p>After using these commands to set it up, it seem to work as
56 intended:</p>
57
58 <blockquote><pre>
59 root@tjener:~# chage -d 1 test; chage -M 10950 test
60 root@tjener:~# chage -l test
61 Last password change : Jan 02, 1970
62 Password expires : never
63 Password inactive : never
64 Account expires : never
65 Minimum number of days between password change : 0
66 Maximum number of days between password change : 10950
67 Number of days of warning before password expires : 7
68 root@tjener:~#
69 </pre></blockquote>
70
71 <p>So far I have tested this with ssh and console, and kdm (in
72 Squeeze) login, and all ask for a new password before login in the
73 user (with ssh, I was thrown out and had to log in again).</p>
74
75 <p>Perhaps we should set up something similar for Debian Edu, to make
76 sure only the user itself have the account password?</p>
77
78 <p>If you want to comment on or help out with implementing this for
79 Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
80
81 <p>Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
82 shadow(8) page in Debian/testing now state that setting the date of
83 last password change to zero (0) will force the password to be changed
84 on the first login. This was not mentioned in the manual in Lenny, so
85 I did not notice this in my initial testing. I have tested it on
86 Squeeze, and '<tt>chage -d 0 username</tt>' do work there. I have not
87 tested it on Lenny yet.</p>
88
89 <p>Update 2010-05-02-19:05: Jim Paris tells me via email that an
90 equivalent command to expire a password is '<tt>passwd -e
91 username</tt>', which insert zero into the date of the last password
92 change.</p>
93 </div>
94
95 <div class="tags">Tags: <a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu</a>, <a href="http://people.skolelinux.org/pere/blog/tags/english">english</a>, <a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug</a>, <a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet</a>.</div>
96
97
98 </div>
99
100
101
102
103 <div id="sidebar">
104
105
106
107 <h2>Archive</h2>
108 <ul>
109
110 <li>2012
111 <ul>
112
113 <li><a href="http://people.skolelinux.org/pere/blog/archive/2012/01/">January (7)</a></li>
114
115 <li><a href="http://people.skolelinux.org/pere/blog/archive/2012/02/">February (10)</a></li>
116
117 <li><a href="http://people.skolelinux.org/pere/blog/archive/2012/03/">March (17)</a></li>
118
119 <li><a href="http://people.skolelinux.org/pere/blog/archive/2012/04/">April (12)</a></li>
120
121 <li><a href="http://people.skolelinux.org/pere/blog/archive/2012/05/">May (6)</a></li>
122
123 </ul></li>
124
125 <li>2011
126 <ul>
127
128 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/01/">January (16)</a></li>
129
130 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/02/">February (6)</a></li>
131
132 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/03/">March (6)</a></li>
133
134 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/04/">April (7)</a></li>
135
136 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/05/">May (3)</a></li>
137
138 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/06/">June (2)</a></li>
139
140 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/07/">July (7)</a></li>
141
142 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/08/">August (6)</a></li>
143
144 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/09/">September (4)</a></li>
145
146 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/10/">October (2)</a></li>
147
148 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/11/">November (3)</a></li>
149
150 <li><a href="http://people.skolelinux.org/pere/blog/archive/2011/12/">December (1)</a></li>
151
152 </ul></li>
153
154 <li>2010
155 <ul>
156
157 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/01/">January (2)</a></li>
158
159 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/02/">February (1)</a></li>
160
161 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/03/">March (3)</a></li>
162
163 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/04/">April (3)</a></li>
164
165 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/05/">May (9)</a></li>
166
167 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/06/">June (14)</a></li>
168
169 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/07/">July (12)</a></li>
170
171 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/08/">August (13)</a></li>
172
173 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/09/">September (7)</a></li>
174
175 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/10/">October (9)</a></li>
176
177 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/11/">November (13)</a></li>
178
179 <li><a href="http://people.skolelinux.org/pere/blog/archive/2010/12/">December (12)</a></li>
180
181 </ul></li>
182
183 <li>2009
184 <ul>
185
186 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/01/">January (8)</a></li>
187
188 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/02/">February (8)</a></li>
189
190 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/03/">March (12)</a></li>
191
192 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/04/">April (10)</a></li>
193
194 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/05/">May (9)</a></li>
195
196 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/06/">June (3)</a></li>
197
198 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/07/">July (4)</a></li>
199
200 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/08/">August (3)</a></li>
201
202 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/09/">September (1)</a></li>
203
204 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/10/">October (2)</a></li>
205
206 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/11/">November (3)</a></li>
207
208 <li><a href="http://people.skolelinux.org/pere/blog/archive/2009/12/">December (3)</a></li>
209
210 </ul></li>
211
212 <li>2008
213 <ul>
214
215 <li><a href="http://people.skolelinux.org/pere/blog/archive/2008/11/">November (5)</a></li>
216
217 <li><a href="http://people.skolelinux.org/pere/blog/archive/2008/12/">December (7)</a></li>
218
219 </ul></li>
220
221 </ul>
222
223
224
225 <h2>Tags</h2>
226 <ul>
227
228 <li><a href="http://people.skolelinux.org/pere/blog/tags/3d-printer">3d-printer (13)</a></li>
229
230 <li><a href="http://people.skolelinux.org/pere/blog/tags/amiga">amiga (1)</a></li>
231
232 <li><a href="http://people.skolelinux.org/pere/blog/tags/aros">aros (1)</a></li>
233
234 <li><a href="http://people.skolelinux.org/pere/blog/tags/bitcoin">bitcoin (2)</a></li>
235
236 <li><a href="http://people.skolelinux.org/pere/blog/tags/bootsystem">bootsystem (12)</a></li>
237
238 <li><a href="http://people.skolelinux.org/pere/blog/tags/bsa">bsa (2)</a></li>
239
240 <li><a href="http://people.skolelinux.org/pere/blog/tags/debian">debian (54)</a></li>
241
242 <li><a href="http://people.skolelinux.org/pere/blog/tags/debian edu">debian edu (101)</a></li>
243
244 <li><a href="http://people.skolelinux.org/pere/blog/tags/digistan">digistan (8)</a></li>
245
246 <li><a href="http://people.skolelinux.org/pere/blog/tags/english">english (127)</a></li>
247
248 <li><a href="http://people.skolelinux.org/pere/blog/tags/fiksgatami">fiksgatami (15)</a></li>
249
250 <li><a href="http://people.skolelinux.org/pere/blog/tags/fildeling">fildeling (12)</a></li>
251
252 <li><a href="http://people.skolelinux.org/pere/blog/tags/intervju">intervju (25)</a></li>
253
254 <li><a href="http://people.skolelinux.org/pere/blog/tags/kart">kart (16)</a></li>
255
256 <li><a href="http://people.skolelinux.org/pere/blog/tags/ldap">ldap (8)</a></li>
257
258 <li><a href="http://people.skolelinux.org/pere/blog/tags/lenker">lenker (4)</a></li>
259
260 <li><a href="http://people.skolelinux.org/pere/blog/tags/ltsp">ltsp (1)</a></li>
261
262 <li><a href="http://people.skolelinux.org/pere/blog/tags/multimedia">multimedia (16)</a></li>
263
264 <li><a href="http://people.skolelinux.org/pere/blog/tags/norsk">norsk (164)</a></li>
265
266 <li><a href="http://people.skolelinux.org/pere/blog/tags/nuug">nuug (126)</a></li>
267
268 <li><a href="http://people.skolelinux.org/pere/blog/tags/open311">open311 (2)</a></li>
269
270 <li><a href="http://people.skolelinux.org/pere/blog/tags/opphavsrett">opphavsrett (24)</a></li>
271
272 <li><a href="http://people.skolelinux.org/pere/blog/tags/personvern">personvern (47)</a></li>
273
274 <li><a href="http://people.skolelinux.org/pere/blog/tags/raid">raid (1)</a></li>
275
276 <li><a href="http://people.skolelinux.org/pere/blog/tags/reprap">reprap (11)</a></li>
277
278 <li><a href="http://people.skolelinux.org/pere/blog/tags/rfid">rfid (2)</a></li>
279
280 <li><a href="http://people.skolelinux.org/pere/blog/tags/robot">robot (4)</a></li>
281
282 <li><a href="http://people.skolelinux.org/pere/blog/tags/rss">rss (1)</a></li>
283
284 <li><a href="http://people.skolelinux.org/pere/blog/tags/ruter">ruter (4)</a></li>
285
286 <li><a href="http://people.skolelinux.org/pere/blog/tags/sikkerhet">sikkerhet (23)</a></li>
287
288 <li><a href="http://people.skolelinux.org/pere/blog/tags/sitesummary">sitesummary (4)</a></li>
289
290 <li><a href="http://people.skolelinux.org/pere/blog/tags/standard">standard (28)</a></li>
291
292 <li><a href="http://people.skolelinux.org/pere/blog/tags/stavekontroll">stavekontroll (1)</a></li>
293
294 <li><a href="http://people.skolelinux.org/pere/blog/tags/stortinget">stortinget (4)</a></li>
295
296 <li><a href="http://people.skolelinux.org/pere/blog/tags/surveillance">surveillance (9)</a></li>
297
298 <li><a href="http://people.skolelinux.org/pere/blog/tags/valg">valg (6)</a></li>
299
300 <li><a href="http://people.skolelinux.org/pere/blog/tags/video">video (25)</a></li>
301
302 <li><a href="http://people.skolelinux.org/pere/blog/tags/vitenskap">vitenskap (1)</a></li>
303
304 <li><a href="http://people.skolelinux.org/pere/blog/tags/web">web (19)</a></li>
305
306 </ul>
307
308
309 </div>
310 <p style="text-align: right">
311 Created by <a href="http://steve.org.uk/Software/chronicle">Chronicle v4.4</a>
312 </p>
313
314 </body>
315 </html>
Nettsider og blogg.