<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1479" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=929205001-16022005><FONT face=Arial color=#0000ff
size=2>Raj,</FONT></SPAN></DIV>
<DIV><SPAN class=929205001-16022005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=929205001-16022005><FONT face=Arial color=#0000ff size=2>The
users account should fall into the system wide policy. In etc/login.defs
the value for PASS_MAX_DAYS should be set to 90. Then every account on the
box will expire in the 90 day rotation. Good practice for security
reasons!! </FONT></SPAN></DIV>
<DIV><SPAN class=929205001-16022005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=929205001-16022005><FONT face=Arial color=#0000ff size=2>You
then don't have to account for it in your <EM>useradd()</EM> script.
</FONT></SPAN></DIV>
<DIV><SPAN class=929205001-16022005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=929205001-16022005><FONT face=Arial color=#0000ff size=2>As for
forcing the user to change their password at first login, in your script when
you set the users "default" password with <EM>passwd(),</EM> use the " -f "
option to force a password change on first login. You can also do some
other "timed" password change options if you know the user isn't going to login
"..right now....but you don't want the account to remain available for, lets say
two weeks...." This is good in the event your always using the same default
password for your new users. Prevents the "Internal Attacks", if you know
what I mean.</FONT></SPAN></DIV>
<DIV><SPAN class=929205001-16022005></SPAN><SPAN
class=929205001-16022005></SPAN><SPAN class=929205001-16022005><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=929205001-16022005><FONT face=Arial color=#0000ff
size=2>--Mike. </FONT></SPAN></DIV>
<DIV> </DIV>
<DIV> </DIV>
<P align=left><SPAN lang=en-us><I><FONT face=Arial color=#808080
size=2>CONFIDENTIALITY NOTICE: This email from EDS is for the sole use of
the intended recipient and may contain confidential and privileged
information. Any unauthorized review or use, including disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender and destroy all copies of the email.</FONT></I></SPAN></P>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
rhn-users-bounces@redhat.com [mailto:rhn-users-bounces@redhat.com] <B>On
Behalf Of </B>Raj Kumar<BR><B>Sent:</B> Tuesday, February 15, 2005 5:28
PM<BR><B>To:</B> Red Hat Network Users List<BR><B>Subject:</B> [rhn-users]
force user to change password on first login<BR><BR></FONT></DIV>
<P>Hello, <BR><BR>We have a script to create users accounts and set some
default passwords. We want to force the user to change their passwords on
their first login. After that, we want to force users to change password for
every 90 days. How do I achieve this?<BR><BR>chage -M 90 might force the user
to change his password after 90 days from last change. But how do I force the
user to change their password on first login? chage -M 0 ?? But after issuing
chage -M 0 when i login using ssh i get an error message:<BR><BR>You are
required to change your password immediately (password aged)<BR>Your password
has expired, the session cannot proceed.<BR>Connection to 192.168.2.4
closed.<BR><BR><BR>Thank you!<BR>Raj<BR></P><BR><BR><A
href="http://clients.rediff.com/signature/track_sig.asp" target=_blank><IMG
hspace=0
src="http://ads.rediff.com/RealMedia/ads/adstream_nx.cgi/www.rediffmail.com/inbox.htm@Bottom"
border=0 NOSEND="1"></A> </BLOCKQUOTE></BODY></HTML>