Hello Mike, Thanks for replying to my posting. I changed the password for user1 using "passwd -f user1" as root. I logged in successfully without any warnings that user1 password will expire soon. I'll try log in tomorrow as user1 and see if I will get the warning. I may be wrong, but I think I wont get the error/warning message since the password doesn't expire until May 18, 2005 chage -l user1 Minimum: 0 Maximum: 90 Warning: 7 Inactive: -1 Last Change: Feb 17, 2005 Password Expires: May 18, 2005 Password Inactive: Never Account Expires: Never I was just wondering what meta information will show that user1 will be given warning message after 24hrs. Thanks again for your help! Raj PS: I am sending this email to rhn-users list now... hope this info will be useful to others... On Wed, 16 Feb 2005 Sullivan,Michael wrote : >Hello Raj, > >You did interpret that correctly. The user now will be prompted to change >their password in 24hrs after first login and the global policy has been >applied to the account. (password expiration in 90 days.) > >--Mike. > >CONFIDENTIALITY NOTICE: This email from EDS is for the sole use of the >intended recipient and may contain confidential and privileged information. >Any unauthorized review or use, including disclosure or distribution is >prohibited. If you are not the intended recipient, please contact the >sender and destroy all copies of the email. > >-----Original Message----- > From: Raj Kumar [mailto:rajkum2002@rediffmail.com] >Sent: Wednesday, February 16, 2005 7:55 AM >To: Sullivan,Michael >Subject: Re: RE: [rhn-users] force user to change password on first login > > > >Mike, > >Thanks for your reply! > >man passwd: > >-u This is the reverse of the -l option - it will unlock the >account password by removing the ! prefix. This option is avail- >able to root only. By default passwd will refuse to create a >passwordless account (it will not unlock an account that has >only "!" as a password). The force option -f will override this >protection. > >It looks like -f is just a "force option". so as root I tried >passwd -f user1 >... entered new password > >logged in as user1 successfully. The reason I believe the login was >successful becoz > >chage -l user1-- before issuing passwd -f user1 > >Minimum: 0 >Maximum: 90 >Warning: 7 >Inactive: -1 >Last Change: Feb 05, 2005 >Password Expires: May 06, 2005 >Password Inactive: Never >Account Expires: Never > >chage -l user1-- after issuing passwd -f user1 > >Minimum: 0 >Maximum: 90 >Warning: 7 >Inactive: -1 >Last Change: Feb 16, 2005 >Password Expires: May 17, 2005 >Password Inactive: Never >Account Expires: Never > >---Password Expires: May 17, 2005 >Since the password expires on May 17, I was not forced to change the >password after log in as user1. > >Did I interpret it incorrectly? > >Thanks again for your help!! > >Raj > >On Wed, 16 Feb 2005 Sullivan,Michael wrote : > >Raj, > > > >The users account should fall into the system wide policy. In > >etc/login.defs the value for PASS_MAX_DAYS should be set to 90. Then every > >account on the box will expire in the 90 day rotation. Good practice for > >security reasons!! > > > >You then don't have to account for it in your useradd() script. > > > >As for forcing the user to change their password at first login, in your > >script when you set the users "default" password with passwd(), use the " >-f > >" option to force a password change on first login. You can also do some > >other "timed" password change options if you know the user isn't going to > >login "..right now....but you don't want the account to remain available > >for, lets say two weeks...." This is good in the event your always using >the > >same default password for your new users. Prevents the "Internal Attacks", > >if you know what I mean. > > > >--Mike. > > > > > > > >CONFIDENTIALITY NOTICE: This email from EDS is for the sole use of the > >intended recipient and may contain confidential and privileged information. > >Any unauthorized review or use, including disclosure or distribution is > >prohibited. If you are not the intended recipient, please contact the > >sender and destroy all copies of the email. > > > >-----Original Message----- > > From: rhn-users-bounces@redhat.com [mailto:rhn-users-bounces@redhat.com] >On > >Behalf Of Raj Kumar > >Sent: Tuesday, February 15, 2005 5:28 PM > >To: Red Hat Network Users List > >Subject: [rhn-users] force user to change password on first login > > > > > > > >Hello, > > > >We have a script to create users accounts and set some default passwords. >We > >want to force the user to change their passwords on their first login. >After > >that, we want to force users to change password for every 90 days. How do I > >achieve this? > > > >chage -M 90 might force the user to change his password after 90 days from > >last change. But how do I force the user to change their password on first > >login? chage -M 0 ?? But after issuing chage -M 0 when i login using ssh i > >get an error message: > > > >You are required to change your password immediately (password aged) > >Your password has expired, the session cannot proceed. > >Connection to 192.168.2.4 closed. > > > > > >Thank you! > >Raj > > > > > > > > > > <http://clients.rediff.com/signature/track_sig.asp> > > > > > > > <http://clients.rediff.com/signature/track_sig.asp> > <A target="_blank" HREF="http://clients.rediff.com/signature/track_sig.asp"><IMG SRC="http://ads.rediff.com/RealMedia/ads/adstream_nx.cgi/www.rediffmail.com/inbox.htm@Bottom" BORDER=0 VSPACE=0 HSPACE=0></a>