Password aging
Rick Stevens
rstevens at vitalstream.com
Thu Aug 18 16:06:52 UTC 2005
Allen, Jack wrote:
>
> -----Original Message-----
> From: jludwig [mailto:wralphie at comcast.net]
> Sent: Wednesday, August 17, 2005 8:21 PM
> To: Getting started with Red Hat Linux
> Subject: Re: Password aging
>
>
> On Wednesday 17 August 2005 06:46 pm, Allen, Jack wrote:
>
>>I have AS 4 64 bit installed. I have tried to enable password aging, but
>>can not get it to work. I have used the chage command to change the
>>expiration day. I can show it should have expired by doing "chage -l
>>login_name". When I login I do not get a warning, and I am not asked to
>>change my password. Is there some other configuration file that needs to
>>be changed to enable it? The system is configured with shadow and md5
>>encryption.
>
>
> From;
> man chage
>
> The -E option is used to set a date on which the user's account
> will
> no longer be accessible. The expiredate option is the number of days since
> January 1, 1970 on which the accounted is locked. The date may also be
> expressed in the format YYYY-MM-DD (or the format more commonly used in
> your area). A user whose account is locked must contact the system
> administrator before being able to use the system again.
>
> Did you set this?
>
> I am not trying to lock the account. I am trying to force the user
> to change their password after a certain number of days. You know company
> rules. What should be happening is the user connects to the system, provides
> their login name and then gets prompted for their password. After they enter
> the password they should get a message that their password has expired and
> please enter a new one. In other words it would be like they got logged in
> and received a message to change their password and they entered "passwd".
You need to set the "-W n" (warn days) option to chage. In other words,
to set a user's account to expire on September 1, 2005, and warn them
for 7 days previous, the chage command would be:
# chage -E 2005-09-01 -W 7 username
> I assume it is the login program that handles this by what it finds
> in the shadow file. I have also looked for configuration options for login,
> to try and determine if it should be paying any attention to the aging
> information in the shadow file. I could not find anything. I have even
> looked a PAM and found /etc/pam.d/login. But I determined by looking at the
> last accessed time on the file that it was not being accessed when I tested
> logging in. So I am still looking for what controls making the user change
> their password after some number of days.
That's the "-M" option. Here's a form I use a lot and sets the
following criteria:
Disable an account after 60 days of inactivity
Allow a user to change passwords whenever they want
Force a password change every 30 days
Warn the user for 7 days to change their password
The corresponding chage command is:
# chage -I 60 -m 0 -M 30 -W 7 username
You do know that chage will run in interactive mode if you don't specify
any options, e.g.
# chage username
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Overweight: When you step on your dog's tail...and it dies. -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list