[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Set passwd on first login?

Answer to my own post! :)

Just one another experiment gives me that i can change
"last password change" field in /etc/shadow to 0 and
user will be prompted for a password.  That is what I
wanted.  But anyway, question about manipulation of
fields in /etc/shadow remain.  Is it possible to made
password use flags:

   -f - force password change (set lastchange=0)
   -n min - set minimum field to min
   -w warn - set warning field to warn
   -x max - set maximum field to max
(taken from solaris passwd(1) manpage).  I.e. is it
possible with pam/unix/pwdb etc, as password (at least
redhat's one) is pamified?  Or maybe I should get/write
other version of password program?

And another issue -- when I force user to change password
(both expiration and outlined below), login (?) does not use
pam_cracklib.  I.e. I can set up password to just "psw",
but with plain "passwd" I unable to choose that -- cracklib says
"is too simple".  Is that pam_pwdb issue?

"Michael Ju. Tokarev" wrote:
> Hi here!
> Please excuse me for this dummy question...
> I can't find a (correct) way to force user to enter
> password at first login.  When I create user, I usually
> (on Solaris) ussue a command "passwd -d user", user
> will be prompted when he/she first logs in.
> Solaris also uses PAM, and this is in pam_unix module.
> Here is a redhat linux, and by default login asks for new
> password only if I also change "last password change" field
> in /etc/shadow to two days before and "should change after"
> to 1.  But I must set those back after he/she logs on and changes
> password.
> (Or change "last password change" to past 1 month and require
> password changes in less than month...  This is not elegant also.)
> There is also a flag for solaris's password program, namely "-f",
> to force user's password change next time hi/she logs on.  Maybe
> the same thing exists for linux?
> Is there some module (or config for pwdb/unix) so that it will be possible?
> I also noted that such an ability should not be enforced for _all_ users,
> for example, entries for "shutdown", "eject" etc can be without password
> at all..
> Thanks!
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []