<link></link>
<atom:link href="index.rss" rel="self" type="application/rss+xml" />
+ <item>
+ <title>Forcing new users to change their password on first login</title>
+ <link>Forcing_new_users_to_change_their_password_on_first_login.html</link>
+ <guid isPermaLink="true">Forcing_new_users_to_change_their_password_on_first_login.html</guid>
+ <pubDate>Sun, 2 May 2010 13:40:00 +0200</pubDate>
+ <description>
+<p>One interesting feature in Active Directory, is the ability to
+create a new user with an expired password, and thus force the user to
+change the password on the first login attempt.</p>
+
+<p>I'm not quite sure how to do that with the LDAP setup in Debian
+Edu, but did some initial testing with a local account. The account
+and password aging information is available in /etc/shadow, but
+unfortunately, it is not possible to specify an expiration time for
+passwords, only a maximum age for passwords.</p>
+
+<p>A freshly created account (using adduser test) will have these
+settings in /etc/shadow:</p>
+
+<blockquote><pre>
+root@tjener:~# chage -l test
+Last password change : May 02, 2010
+Password expires : never
+Password inactive : never
+Account expires : never
+Minimum number of days between password change : 0
+Maximum number of days between password change : 99999
+Number of days of warning before password expires : 7
+root@tjener:~#
+</pre></blockquote>
+
+<p>The only way I could come up with to create a user with an expired
+account, is to change the date of the last password change to the
+lowest value possible (January 1th 1970), and the maximum password age
+to the difference in days between that date and today. To make it
+simple, I went for 30 years (30 * 365 = 10950) and January 2th (to
+avoid testing if 0 is a valid value).</p>
+
+<p>After using these commands to set it up, it seem to work as
+intended:</p>
+
+<blockquote><pre>
+root@tjener:~# chage -d 1 test; chage -M 10950 test
+root@tjener:~# chage -l test
+Last password change : Jan 02, 1970
+Password expires : never
+Password inactive : never
+Account expires : never
+Minimum number of days between password change : 0
+Maximum number of days between password change : 10950
+Number of days of warning before password expires : 7
+root@tjener:~#
+</pre></blockquote>
+
+<p>So far I have tested this with ssh and console, and kdm (in
+Squeeze) login, and all ask for a new password before login in the
+user (with ssh, I was thrown out and had to log in again).</p>
+
+<p>Perhaps we should set up something similar for Debian Edu, to make
+sure only the user itself have the account password?</p>
+
+<p>If you want to comment on or help out with implementing this for
+Debian Edu, please contact us on debian-edu@lists.debian.org.</p>
+</description>
+ </item>
+
<item>
<title>Thoughts on roaming laptop setup for Debian Edu</title>
<link>Thoughts_on_roaming_laptop_setup_for_Debian_Edu.html</link>
</description>
</item>
- <item>
- <title>Sikkerhet, teater, og hvordan gjøre verden sikrere</title>
- <link>Sikkerhet__teater__og_hvordan_gj__re_verden_sikrere.html</link>
- <guid isPermaLink="true">Sikkerhet__teater__og_hvordan_gj__re_verden_sikrere.html</guid>
- <pubDate>Wed, 30 Dec 2009 16:35:00 +0100</pubDate>
- <description>
-<p>Via Slashdot fant jeg en
-<a href="http://www.cnn.com/2009/OPINION/12/29/schneier.air.travel.security.theater/index.html">nydelig
-kommentar fra Bruce Schneier</a> som ble publisert hos CNN i går. Den
-forklarer forbilledlig hvorfor sikkerhetsteater og innføring av
-totalitære politistatmetoder ikke er løsningen for å gjøre verden
-sikrere. Anbefales på det varmeste.</p>
-
-<p>Oppdatering: Kom over
-<a href="http://gizmodo.com/5435675/president-obama-its-time-to-fire-the-tsa">nok
-en kommentar</a> om den manglende effekten av dagens sikkerhetsteater
-på flyplassene.</p>
-</description>
- </item>
-
</channel>
</rss>
projects / homepage.git / blobdiff