From: Petter Reinholdtsen <pere@hungry.com>
Date: Sun, 2 May 2010 11:45:49 +0000 (+0000)
Subject: New entry.
X-Git-Url: https://pere.pagekite.me/gitweb/homepage.git/commitdiff_plain/296b6f3716a44153e374d0a79a07551132c144e7

New entry.
---

diff --git a/blog/data/2010-05-02-expired-passwords.txt b/blog/data/2010-05-02-expired-passwords.txt
new file mode 100644
index 0000000000..ebbc1a90d4
--- /dev/null
+++ b/blog/data/2010-05-02-expired-passwords.txt
@@ -0,0 +1,61 @@
+Title: Forcing new users to change their password on first login
+Tags: english, nuug, debian edu
+Date: 2010-05-02 13:40
+
+<p>One interesting feature in Active Directory, is the ability to
+create a new user with an expired password, and thus force the user to
+change the password on the first login attempt.</p>
+
+<p>I'm not quite sure how to do that with the LDAP setup in Debian
+Edu, but did some initial testing with a local account.  The account
+and password aging information is available in /etc/shadow, but
+unfortunately, it is not possible to specify an expiration time for
+passwords, only a maximum age for passwords.</p>
+
+<p>A freshly created account (using adduser test) will have these
+settings in /etc/shadow:</p>
+
+<blockquote><pre>
+root@tjener:~# chage -l test
+Last password change                                    : May 02, 2010
+Password expires                                        : never
+Password inactive                                       : never
+Account expires                                         : never
+Minimum number of days between password change          : 0
+Maximum number of days between password change          : 99999
+Number of days of warning before password expires       : 7
+root@tjener:~#
+</pre></blockquote>
+
+<p>The only way I could come up with to create a user with an expired
+account, is to change the date of the last password change to the
+lowest value possible (January 1th 1970), and the maximum password age
+to the difference in days between that date and today.  To make it
+simple, I went for 30 years and January 2th (to avoid testing if 0 is
+a valid value).</p>
+
+<p>After using these commands to set it up, it seem to work as
+intended:</p>
+
+<blockquote><pre>
+root@tjener:~# chage -d 1 test; chage -M 10950 test
+root@tjener:~# chage -l test
+Last password change                                    : Jan 02, 1970
+Password expires                                        : never
+Password inactive                                       : never
+Account expires                                         : never
+Minimum number of days between password change          : 0
+Maximum number of days between password change          : 10950
+Number of days of warning before password expires       : 7
+root@tjener:~#  
+</pre></blockquote>
+
+<p>So far I have tested this with ssh and console, and kdm (in
+Squeeze) login, and all ask for a new password before login in the
+user (with ssh, I was thrown out and had to log in again).</p>
+
+<p>Perhaps we should set up something similar for Debian Edu, to make
+sure only the user itself have the account password?</p>
+
+<p>If you want to comment on or help out with implementing this for
+Debian Edu, please contact us on debian-edu@lists.debian.org.</p>