Password aging
Allen, Jack
Jack.Allen at McKesson.com
Thu Aug 18 16:31:12 UTC 2005
-----Original Message-----
From: Rick Stevens [mailto:rstevens at vitalstream.com]
Sent: Thursday, August 18, 2005 12:07 PM
To: Getting started with Red Hat Linux
Subject: Re: Password aging
Allen, Jack wrote:
>
> -----Original Message-----
> From: jludwig [mailto:wralphie at comcast.net]
> Sent: Wednesday, August 17, 2005 8:21 PM
> To: Getting started with Red Hat Linux
> Subject: Re: Password aging
>
>
> On Wednesday 17 August 2005 06:46 pm, Allen, Jack wrote:
>
>>I have AS 4 64 bit installed. I have tried to enable password aging, but
>>can not get it to work. I have used the chage command to change the
>>expiration day. I can show it should have expired by doing "chage -l
>>login_name". When I login I do not get a warning, and I am not asked to
>>change my password. Is there some other configuration file that needs to
>>be changed to enable it? The system is configured with shadow and md5
>>encryption.
>
>
> From;
> man chage
>
> The -E option is used to set a date on which the user's account
> will
> no longer be accessible. The expiredate option is the number of days
since
> January 1, 1970 on which the accounted is locked. The date may also be
> expressed in the format YYYY-MM-DD (or the format more commonly used in
> your area). A user whose account is locked must contact the system
> administrator before being able to use the system again.
>
> Did you set this?
>
> I am not trying to lock the account. I am trying to force the user
> to change their password after a certain number of days. You know company
> rules. What should be happening is the user connects to the system,
provides
> their login name and then gets prompted for their password. After they
enter
> the password they should get a message that their password has expired and
> please enter a new one. In other words it would be like they got logged in
> and received a message to change their password and they entered "passwd".
You need to set the "-W n" (warn days) option to chage. In other words,
to set a user's account to expire on September 1, 2005, and warn them
for 7 days previous, the chage command would be:
# chage -E 2005-09-01 -W 7 username
> I assume it is the login program that handles this by what it finds
> in the shadow file. I have also looked for configuration options for
login,
> to try and determine if it should be paying any attention to the aging
> information in the shadow file. I could not find anything. I have even
> looked a PAM and found /etc/pam.d/login. But I determined by looking at
the
> last accessed time on the file that it was not being accessed when I
tested
> logging in. So I am still looking for what controls making the user change
> their password after some number of days.
That's the "-M" option. Here's a form I use a lot and sets the
following criteria:
Disable an account after 60 days of inactivity
Allow a user to change passwords whenever they want
Force a password change every 30 days
Warn the user for 7 days to change their password
The corresponding chage command is:
# chage -I 60 -m 0 -M 30 -W 7 username
You do know that chage will run in interactive mode if you don't specify
any options, e.g.
# chage username
=============
This is the settings for user white3. When I connect I enter the login name
and then the password and get the shell prompt. It never warns me the
password will or has expired. So what am I missing? As I asked earlier,
exactly what program is suppose to be checking the values? I assume login,
maybe using one of the PAM configuration files.
Changing the aging information for white3
Enter the new value, or press ENTER for the default
Minimum Password Age [0]:
Maximum Password Age [1]:
Last Password Change (YYYY-MM-DD) [2005-08-15]:
Password Expiration Warning [1]:
Password Inactive [14]:
Account Expiration Date (YYYY-MM-DD) [2005-08-22]:
Thanks:
Jack Allen
More information about the Redhat-install-list
mailing list