<P>
Hi Mike,<BR>
<BR>
I logged in as user1 today and I did not get any warnings. So "passwd -f user1" does not force the user to change password after 24Hrs. <BR>
<BR>
Are there any other options to force the user to change their passwords at first logon?<BR>
<BR>
Thank you,<BR>
Raj<BR>
<BR>
<BR>
On Thu, 17 Feb 2005 Raj Kumar wrote :<BR>
>Hello Mike,<BR>
><BR>
>Thanks for replying to my posting.<BR>
><BR>
>I changed the password for user1 using "passwd -f user1" as root. I logged in successfully without any warnings that user1 password will expire soon. I'll try log in tomorrow as user1 and see if I will get the warning. I may be wrong, but I think I wont get the error/warning message since the password doesn't expire until May 18, 2005<BR>
><BR>
>chage -l user1<BR>
>Minimum: 0<BR>
>Maximum: 90<BR>
>Warning: 7<BR>
>Inactive: -1<BR>
>Last Change: Feb 17, 2005<BR>
>Password Expires: May 18, 2005<BR>
>Password Inactive: Never<BR>
>Account Expires: Never<BR>
><BR>
>I was just wondering what meta information will show that user1 will be given warning message after 24hrs.<BR>
><BR>
>Thanks again for your help!<BR>
><BR>
>Raj<BR>
><BR>
>PS: I am sending this email to rhn-users list now... hope this info will be useful to others...<BR>
><BR>
>On Wed, 16 Feb 2005 Sullivan,Michael wrote :<BR>
> >Hello Raj,<BR>
> ><BR>
> >You did interpret that correctly. The user now will be prompted to change<BR>
> >their password in 24hrs after first login and the global policy has been<BR>
> >applied to the account. (password expiration in 90 days.)<BR>
> ><BR>
> >--Mike.<BR>
> ><BR>
> >CONFIDENTIALITY NOTICE: This email from EDS is for the sole use of the<BR>
> >intended recipient and may contain confidential and privileged information.<BR>
> >Any unauthorized review or use, including disclosure or distribution is<BR>
> >prohibited. If you are not the intended recipient, please contact the<BR>
> >sender and destroy all copies of the email.<BR>
> ><BR>
> >-----Original Message-----<BR>
> > From: Raj Kumar [mailto:rajkum2002@rediffmail.com]<BR>
> >Sent: Wednesday, February 16, 2005 7:55 AM<BR>
> >To: Sullivan,Michael<BR>
> >Subject: Re: RE: [rhn-users] force user to change password on first login<BR>
> ><BR>
> ><BR>
> ><BR>
> >Mike,<BR>
> ><BR>
> >Thanks for your reply!<BR>
> ><BR>
> >man passwd:<BR>
> ><BR>
> >-u This is the reverse of the -l option - it will unlock the<BR>
> >account password by removing the ! prefix. This option is avail-<BR>
> >able to root only. By default passwd will refuse to create a<BR>
> >passwordless account (it will not unlock an account that has<BR>
> >only "!" as a password). The force option -f will override this<BR>
> >protection.<BR>
> ><BR>
> >It looks like -f is just a "force option". so as root I tried<BR>
> >passwd -f user1<BR>
> >... entered new password<BR>
> ><BR>
> >logged in as user1 successfully. The reason I believe the login was<BR>
> >successful becoz<BR>
> ><BR>
> >chage -l user1-- before issuing passwd -f user1<BR>
> ><BR>
> >Minimum: 0<BR>
> >Maximum: 90<BR>
> >Warning: 7<BR>
> >Inactive: -1<BR>
> >Last Change: Feb 05, 2005<BR>
> >Password Expires: May 06, 2005<BR>
> >Password Inactive: Never<BR>
> >Account Expires: Never<BR>
> ><BR>
> >chage -l user1-- after issuing passwd -f user1<BR>
> ><BR>
> >Minimum: 0<BR>
> >Maximum: 90<BR>
> >Warning: 7<BR>
> >Inactive: -1<BR>
> >Last Change: Feb 16, 2005<BR>
> >Password Expires: May 17, 2005<BR>
> >Password Inactive: Never<BR>
> >Account Expires: Never<BR>
> ><BR>
> >---Password Expires: May 17, 2005<BR>
> >Since the password expires on May 17, I was not forced to change the<BR>
> >password after log in as user1.<BR>
> ><BR>
> >Did I interpret it incorrectly?<BR>
> ><BR>
> >Thanks again for your help!!<BR>
> ><BR>
> >Raj<BR>
> ><BR>
> >On Wed, 16 Feb 2005 Sullivan,Michael wrote :<BR>
> > >Raj,<BR>
> > ><BR>
> > >The users account should fall into the system wide policy. In<BR>
> > >etc/login.defs the value for PASS_MAX_DAYS should be set to 90. Then every<BR>
> > >account on the box will expire in the 90 day rotation. Good practice for<BR>
> > >security reasons!!<BR>
> > ><BR>
> > >You then don't have to account for it in your useradd() script.<BR>
> > ><BR>
> > >As for forcing the user to change their password at first login, in your<BR>
> > >script when you set the users "default" password with passwd(), use the "<BR>
> >-f<BR>
> > >" option to force a password change on first login. You can also do some<BR>
> > >other "timed" password change options if you know the user isn't going to<BR>
> > >login "..right now....but you don't want the account to remain available<BR>
> > >for, lets say two weeks...." This is good in the event your always using<BR>
> >the<BR>
> > >same default password for your new users. Prevents the "Internal Attacks",<BR>
> > >if you know what I mean.<BR>
> > ><BR>
> > >--Mike.<BR>
> > ><BR>
> > ><BR>
> > ><BR>
> > >CONFIDENTIALITY NOTICE: This email from EDS is for the sole use of the<BR>
> > >intended recipient and may contain confidential and privileged information.<BR>
> > >Any unauthorized review or use, including disclosure or distribution is<BR>
> > >prohibited. If you are not the intended recipient, please contact the<BR>
> > >sender and destroy all copies of the email.<BR>
> > ><BR>
> > >-----Original Message-----<BR>
> > > From: rhn-users-bounces@redhat.com [mailto:rhn-users-bounces@redhat.com]<BR>
> >On<BR>
> > >Behalf Of Raj Kumar<BR>
> > >Sent: Tuesday, February 15, 2005 5:28 PM<BR>
> > >To: Red Hat Network Users List<BR>
> > >Subject: [rhn-users] force user to change password on first login<BR>
> > ><BR>
> > ><BR>
> > ><BR>
> > >Hello,<BR>
> > ><BR>
> > >We have a script to create users accounts and set some default passwords.<BR>
> >We<BR>
> > >want to force the user to change their passwords on their first login.<BR>
> >After<BR>
> > >that, we want to force users to change password for every 90 days. How do I<BR>
> > >achieve this?<BR>
> > ><BR>
> > >chage -M 90 might force the user to change his password after 90 days from<BR>
> > >last change. But how do I force the user to change their password on first<BR>
> > >login? chage -M 0 ?? But after issuing chage -M 0 when i login using ssh i<BR>
> > >get an error message:<BR>
> > ><BR>
> > >You are required to change your password immediately (password aged)<BR>
> > >Your password has expired, the session cannot proceed.<BR>
> > >Connection to 192.168.2.4 closed.<BR>
> > ><BR>
> > ><BR>
> > >Thank you!<BR>
> > >Raj<BR>
> > ><BR>
> > ><BR>
> > ><BR>
> > ><BR>
> > > <http://clients.rediff.com/signature/track_sig.asp><BR>
> > ><BR>
> ><BR>
> ><BR>
> ><BR>
> ><BR>
> > <http://clients.rediff.com/signature/track_sig.asp><BR>
> ><BR>
>_______________________________________________<BR>
>rhn-users mailing list<BR>
>rhn-users@redhat.com<BR>
>https://www.redhat.com/mailman/listinfo/rhn-users<BR>
</P>
<br><br>
<A target="_blank" HREF="http://clients.rediff.com/signature/track_sig.asp"><IMG SRC="http://ads.rediff.com/RealMedia/ads/adstream_nx.cgi/www.rediffmail.com/inbox.htm@Bottom" BORDER=0 VSPACE=0 HSPACE=0></a>