One interesting feature in Active Directory, is the ability to +create a new user with an expired password, and thus force the user to +change the password on the first login attempt.
+ +I'm not quite sure how to do that with the LDAP setup in Debian +Edu, but did some initial testing with a local account. The account +and password aging information is available in /etc/shadow, but +unfortunately, it is not possible to specify an expiration time for +passwords, only a maximum age for passwords.
+ +A freshly created account (using adduser test) will have these +settings in /etc/shadow:
+ ++ ++root@tjener:~# chage -l test +Last password change : May 02, 2010 +Password expires : never +Password inactive : never +Account expires : never +Minimum number of days between password change : 0 +Maximum number of days between password change : 99999 +Number of days of warning before password expires : 7 +root@tjener:~# +
The only way I could come up with to create a user with an expired +account, is to change the date of the last password change to the +lowest value possible (January 1th 1970), and the maximum password age +to the difference in days between that date and today. To make it +simple, I went for 30 years (30 * 365 = 10950) and January 2th (to +avoid testing if 0 is a valid value).
+ +After using these commands to set it up, it seem to work as +intended:
+ ++ ++root@tjener:~# chage -d 1 test; chage -M 10950 test +root@tjener:~# chage -l test +Last password change : Jan 02, 1970 +Password expires : never +Password inactive : never +Account expires : never +Minimum number of days between password change : 0 +Maximum number of days between password change : 10950 +Number of days of warning before password expires : 7 +root@tjener:~# +
So far I have tested this with ssh and console, and kdm (in +Squeeze) login, and all ask for a new password before login in the +user (with ssh, I was thrown out and had to log in again).
+ +Perhaps we should set up something similar for Debian Edu, to make +sure only the user itself have the account password?
+ +If you want to comment on or help out with implementing this for +Debian Edu, please contact us on debian-edu@lists.debian.org.
+ +