<P>
Hello Mike,<BR>
<BR>
Thanks for replying to my posting.<BR>
<BR>
I changed the password for user1 using "passwd -f user1" as root. I logged in successfully without any warnings that user1 password will expire soon. I'll try log in tomorrow as user1 and see if I will get the warning. I may be wrong, but I think I wont get the error/warning message since the password doesn't expire until May 18, 2005<BR>
<BR>
chage -l user1<BR>
Minimum: 0<BR>
Maximum: 90<BR>
Warning: 7<BR>
Inactive: -1<BR>
Last Change: Feb 17, 2005<BR>
Password Expires: May 18, 2005<BR>
Password Inactive: Never<BR>
Account Expires: Never<BR>
<BR>
I was just wondering what meta information will show that user1 will be given warning message after 24hrs. <BR>
<BR>
Thanks again for your help!<BR>
<BR>
Raj<BR>
<BR>
PS: I am sending this email to rhn-users list now... hope this info will be useful to others...<BR>
<BR>
On Wed, 16 Feb 2005 Sullivan,Michael wrote :<BR>
>Hello Raj,<BR>
><BR>
>You did interpret that correctly. The user now will be prompted to change<BR>
>their password in 24hrs after first login and the global policy has been<BR>
>applied to the account. (password expiration in 90 days.)<BR>
><BR>
>--Mike.<BR>
><BR>
>CONFIDENTIALITY NOTICE: This email from EDS is for the sole use of the<BR>
>intended recipient and may contain confidential and privileged information.<BR>
>Any unauthorized review or use, including disclosure or distribution is<BR>
>prohibited. If you are not the intended recipient, please contact the<BR>
>sender and destroy all copies of the email.<BR>
><BR>
>-----Original Message-----<BR>
> From: Raj Kumar [mailto:rajkum2002@rediffmail.com]<BR>
>Sent: Wednesday, February 16, 2005 7:55 AM<BR>
>To: Sullivan,Michael<BR>
>Subject: Re: RE: [rhn-users] force user to change password on first login<BR>
><BR>
><BR>
><BR>
>Mike,<BR>
><BR>
>Thanks for your reply!<BR>
><BR>
>man passwd:<BR>
><BR>
>-u This is the reverse of the -l option - it will unlock the<BR>
>account password by removing the ! prefix. This option is avail-<BR>
>able to root only. By default passwd will refuse to create a<BR>
>passwordless account (it will not unlock an account that has<BR>
>only "!" as a password). The force option -f will override this<BR>
>protection.<BR>
><BR>
>It looks like -f is just a "force option". so as root I tried<BR>
>passwd -f user1<BR>
>... entered new password<BR>
><BR>
>logged in as user1 successfully. The reason I believe the login was<BR>
>successful becoz<BR>
><BR>
>chage -l user1-- before issuing passwd -f user1<BR>
><BR>
>Minimum: 0<BR>
>Maximum: 90<BR>
>Warning: 7<BR>
>Inactive: -1<BR>
>Last Change: Feb 05, 2005<BR>
>Password Expires: May 06, 2005<BR>
>Password Inactive: Never<BR>
>Account Expires: Never<BR>
><BR>
>chage -l user1-- after issuing passwd -f user1<BR>
><BR>
>Minimum: 0<BR>
>Maximum: 90<BR>
>Warning: 7<BR>
>Inactive: -1<BR>
>Last Change: Feb 16, 2005<BR>
>Password Expires: May 17, 2005<BR>
>Password Inactive: Never<BR>
>Account Expires: Never<BR>
><BR>
>---Password Expires: May 17, 2005<BR>
>Since the password expires on May 17, I was not forced to change the<BR>
>password after log in as user1.<BR>
><BR>
>Did I interpret it incorrectly?<BR>
><BR>
>Thanks again for your help!!<BR>
><BR>
>Raj<BR>
><BR>
>On Wed, 16 Feb 2005 Sullivan,Michael wrote :<BR>
> >Raj,<BR>
> ><BR>
> >The users account should fall into the system wide policy. In<BR>
> >etc/login.defs the value for PASS_MAX_DAYS should be set to 90. Then every<BR>
> >account on the box will expire in the 90 day rotation. Good practice for<BR>
> >security reasons!!<BR>
> ><BR>
> >You then don't have to account for it in your useradd() script.<BR>
> ><BR>
> >As for forcing the user to change their password at first login, in your<BR>
> >script when you set the users "default" password with passwd(), use the "<BR>
>-f<BR>
> >" option to force a password change on first login. You can also do some<BR>
> >other "timed" password change options if you know the user isn't going to<BR>
> >login "..right now....but you don't want the account to remain available<BR>
> >for, lets say two weeks...." This is good in the event your always using<BR>
>the<BR>
> >same default password for your new users. Prevents the "Internal Attacks",<BR>
> >if you know what I mean.<BR>
> ><BR>
> >--Mike.<BR>
> ><BR>
> ><BR>
> ><BR>
> >CONFIDENTIALITY NOTICE: This email from EDS is for the sole use of the<BR>
> >intended recipient and may contain confidential and privileged information.<BR>
> >Any unauthorized review or use, including disclosure or distribution is<BR>
> >prohibited. If you are not the intended recipient, please contact the<BR>
> >sender and destroy all copies of the email.<BR>
> ><BR>
> >-----Original Message-----<BR>
> > From: rhn-users-bounces@redhat.com [mailto:rhn-users-bounces@redhat.com]<BR>
>On<BR>
> >Behalf Of Raj Kumar<BR>
> >Sent: Tuesday, February 15, 2005 5:28 PM<BR>
> >To: Red Hat Network Users List<BR>
> >Subject: [rhn-users] force user to change password on first login<BR>
> ><BR>
> ><BR>
> ><BR>
> >Hello,<BR>
> ><BR>
> >We have a script to create users accounts and set some default passwords.<BR>
>We<BR>
> >want to force the user to change their passwords on their first login.<BR>
>After<BR>
> >that, we want to force users to change password for every 90 days. How do I<BR>
> >achieve this?<BR>
> ><BR>
> >chage -M 90 might force the user to change his password after 90 days from<BR>
> >last change. But how do I force the user to change their password on first<BR>
> >login? chage -M 0 ?? But after issuing chage -M 0 when i login using ssh i<BR>
> >get an error message:<BR>
> ><BR>
> >You are required to change your password immediately (password aged)<BR>
> >Your password has expired, the session cannot proceed.<BR>
> >Connection to 192.168.2.4 closed.<BR>
> ><BR>
> ><BR>
> >Thank you!<BR>
> >Raj<BR>
> ><BR>
> ><BR>
> ><BR>
> ><BR>
> > <http://clients.rediff.com/signature/track_sig.asp><BR>
> ><BR>
><BR>
><BR>
><BR>
><BR>
> <http://clients.rediff.com/signature/track_sig.asp><BR>
><BR>
</P>
<br><br>
<A target="_blank" HREF="http://clients.rediff.com/signature/track_sig.asp"><IMG SRC="http://ads.rediff.com/RealMedia/ads/adstream_nx.cgi/www.rediffmail.com/inbox.htm@Bottom" BORDER=0 VSPACE=0 HSPACE=0></a>