[rhn-users] force user to change password on first login
Raj Kumar
rajkum2002 at rediffmail.com
Thu Feb 17 16:04:39 UTC 2005
Hello Mike,
Thanks for replying to my posting.
I changed the password for user1 using "passwd -f user1" as root. I logged in successfully without any warnings that user1 password will expire soon. I'll try log in tomorrow as user1 and see if I will get the warning. I may be wrong, but I think I wont get the error/warning message since the password doesn't expire until May 18, 2005
chage -l user1
Minimum: 0
Maximum: 90
Warning: 7
Inactive: -1
Last Change: Feb 17, 2005
Password Expires: May 18, 2005
Password Inactive: Never
Account Expires: Never
I was just wondering what meta information will show that user1 will be given warning message after 24hrs.
Thanks again for your help!
Raj
PS: I am sending this email to rhn-users list now... hope this info will be useful to others...
On Wed, 16 Feb 2005 Sullivan,Michael wrote :
>Hello Raj,
>
>You did interpret that correctly. The user now will be prompted to change
>their password in 24hrs after first login and the global policy has been
>applied to the account. (password expiration in 90 days.)
>
>--Mike.
>
>CONFIDENTIALITY NOTICE: This email from EDS is for the sole use of the
>intended recipient and may contain confidential and privileged information.
>Any unauthorized review or use, including disclosure or distribution is
>prohibited. If you are not the intended recipient, please contact the
>sender and destroy all copies of the email.
>
>-----Original Message-----
> From: Raj Kumar [mailto:rajkum2002 at rediffmail.com]
>Sent: Wednesday, February 16, 2005 7:55 AM
>To: Sullivan,Michael
>Subject: Re: RE: [rhn-users] force user to change password on first login
>
>
>
>Mike,
>
>Thanks for your reply!
>
>man passwd:
>
>-u This is the reverse of the -l option - it will unlock the
>account password by removing the ! prefix. This option is avail-
>able to root only. By default passwd will refuse to create a
>passwordless account (it will not unlock an account that has
>only "!" as a password). The force option -f will override this
>protection.
>
>It looks like -f is just a "force option". so as root I tried
>passwd -f user1
>... entered new password
>
>logged in as user1 successfully. The reason I believe the login was
>successful becoz
>
>chage -l user1-- before issuing passwd -f user1
>
>Minimum: 0
>Maximum: 90
>Warning: 7
>Inactive: -1
>Last Change: Feb 05, 2005
>Password Expires: May 06, 2005
>Password Inactive: Never
>Account Expires: Never
>
>chage -l user1-- after issuing passwd -f user1
>
>Minimum: 0
>Maximum: 90
>Warning: 7
>Inactive: -1
>Last Change: Feb 16, 2005
>Password Expires: May 17, 2005
>Password Inactive: Never
>Account Expires: Never
>
>---Password Expires: May 17, 2005
>Since the password expires on May 17, I was not forced to change the
>password after log in as user1.
>
>Did I interpret it incorrectly?
>
>Thanks again for your help!!
>
>Raj
>
>On Wed, 16 Feb 2005 Sullivan,Michael wrote :
> >Raj,
> >
> >The users account should fall into the system wide policy. In
> >etc/login.defs the value for PASS_MAX_DAYS should be set to 90. Then every
> >account on the box will expire in the 90 day rotation. Good practice for
> >security reasons!!
> >
> >You then don't have to account for it in your useradd() script.
> >
> >As for forcing the user to change their password at first login, in your
> >script when you set the users "default" password with passwd(), use the "
>-f
> >" option to force a password change on first login. You can also do some
> >other "timed" password change options if you know the user isn't going to
> >login "..right now....but you don't want the account to remain available
> >for, lets say two weeks...." This is good in the event your always using
>the
> >same default password for your new users. Prevents the "Internal Attacks",
> >if you know what I mean.
> >
> >--Mike.
> >
> >
> >
> >CONFIDENTIALITY NOTICE: This email from EDS is for the sole use of the
> >intended recipient and may contain confidential and privileged information.
> >Any unauthorized review or use, including disclosure or distribution is
> >prohibited. If you are not the intended recipient, please contact the
> >sender and destroy all copies of the email.
> >
> >-----Original Message-----
> > From: rhn-users-bounces at redhat.com [mailto:rhn-users-bounces at redhat.com]
>On
> >Behalf Of Raj Kumar
> >Sent: Tuesday, February 15, 2005 5:28 PM
> >To: Red Hat Network Users List
> >Subject: [rhn-users] force user to change password on first login
> >
> >
> >
> >Hello,
> >
> >We have a script to create users accounts and set some default passwords.
>We
> >want to force the user to change their passwords on their first login.
>After
> >that, we want to force users to change password for every 90 days. How do I
> >achieve this?
> >
> >chage -M 90 might force the user to change his password after 90 days from
> >last change. But how do I force the user to change their password on first
> >login? chage -M 0 ?? But after issuing chage -M 0 when i login using ssh i
> >get an error message:
> >
> >You are required to change your password immediately (password aged)
> >Your password has expired, the session cannot proceed.
> >Connection to 192.168.2.4 closed.
> >
> >
> >Thank you!
> >Raj
> >
> >
> >
> >
> > <http://clients.rediff.com/signature/track_sig.asp>
> >
>
>
>
>
> <http://clients.rediff.com/signature/track_sig.asp>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20050217/8295562e/attachment.htm>
More information about the rhn-users
mailing list