blog/data/2010-05-02-expired-passwords.txt

   1 Title: Forcing new users to change their password on first login
   2 Tags: english, nuug, debian edu, sikkerhet
   3 Date: 2010-05-02 13:47
   4
   5 <p>One interesting feature in Active Directory, is the ability to
   6 create a new user with an expired password, and thus force the user to
   7 change the password on the first login attempt.</p>
   8
   9 <p>I'm not quite sure how to do that with the LDAP setup in Debian
  10 Edu, but did some initial testing with a local account.  The account
  11 and password aging information is available in /etc/shadow, but
  12 unfortunately, it is not possible to specify an expiration time for
  13 passwords, only a maximum age for passwords.</p>
  14
  15 <p>A freshly created account (using adduser test) will have these
  16 settings in /etc/shadow:</p>
  17
  18 <blockquote><pre>
  19 root@tjener:~# chage -l test
  20 Last password change                                    : May 02, 2010
  21 Password expires                                        : never
  22 Password inactive                                       : never
  23 Account expires                                         : never
  24 Minimum number of days between password change          : 0
  25 Maximum number of days between password change          : 99999
  26 Number of days of warning before password expires       : 7
  27 root@tjener:~#
  28 </pre></blockquote>
  29
  30 <p>The only way I could come up with to create a user with an expired
  31 account, is to change the date of the last password change to the
  32 lowest value possible (January 1th 1970), and the maximum password age
  33 to the difference in days between that date and today.  To make it
  34 simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
  35 avoid testing if 0 is a valid value).</p>
  36
  37 <p>After using these commands to set it up, it seem to work as
  38 intended:</p>
  39
  40 <blockquote><pre>
  41 root@tjener:~# chage -d 1 test; chage -M 10950 test
  42 root@tjener:~# chage -l test
  43 Last password change                                    : Jan 02, 1970
  44 Password expires                                        : never
  45 Password inactive                                       : never
  46 Account expires                                         : never
  47 Minimum number of days between password change          : 0
  48 Maximum number of days between password change          : 10950
  49 Number of days of warning before password expires       : 7
  50 root@tjener:~#
  51 </pre></blockquote>
  52
  53 <p>So far I have tested this with ssh and console, and kdm (in
  54 Squeeze) login, and all ask for a new password before login in the
  55 user (with ssh, I was thrown out and had to log in again).</p>
  56
  57 <p>Perhaps we should set up something similar for Debian Edu, to make
  58 sure only the user itself have the account password?</p>
  59
  60 <p>If you want to comment on or help out with implementing this for
  61 Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
  62
  63 <p>Update 2010-05-02 17:20: Paul Tötterman tells me on IRC that the
  64 shadow(8) page in Debian/testing now state that setting the date of
  65 last password change to zero (0) will force the password to be changed
  66 on the first login.  This was not mentioned in the manual in Lenny, so
  67 I did not notice this in my initial testing.  I have tested it on
  68 Squeeze, and '<tt>chage -d 0 username</tt>' do work there.  I have not
  69 tested it on Lenny yet.</p>
  70
  71 <p>Update 2010-05-02-19:05: Jim Paris tells me via email that an
  72 equivalent command to expire a password is '<tt>passwd -e
  73 username</tt>', which insert zero into the date of the last password
  74 change.</p>