Password aging

Rick Stevens rstevens at vitalstream.com
Thu Aug 18 17:21:40 UTC 2005 

Allen, Jack wrote:
> 
> -----Original Message-----
> From: Rick Stevens [mailto:rstevens at vitalstream.com] 
> Sent: Thursday, August 18, 2005 12:07 PM
> To: Getting started with Red Hat Linux
> Subject: Re: Password aging
> 
> 
> Allen, Jack wrote:
> 
>>-----Original Message-----
>>From: jludwig [mailto:wralphie at comcast.net] 
>>Sent: Wednesday, August 17, 2005 8:21 PM
>>To: Getting started with Red Hat Linux
>>Subject: Re: Password aging
>>
>>
>>On Wednesday 17 August 2005 06:46 pm, Allen, Jack wrote:
>>
>>
>>>I have AS 4 64 bit installed. I have tried to enable password aging, but
>>>can not get it to work. I have used the chage command to change the
>>>expiration day. I can show it should have expired by doing "chage -l
>>>login_name". When I login I do not get a warning, and I am not asked to
>>>change my password. Is there some other configuration file that needs to
>>>be changed to enable it? The system is configured with shadow and md5
>>>encryption.
>>
>>
>>From;
>>man chage
>>
>>       The  -E  option is used to set a date on which the user's account
>>will 
>>no longer be accessible.  The expiredate option is the number of days
> 
> since
> 
>>January 1, 1970 on which the accounted is locked.  The date may also be 
>>expressed in the format YYYY-MM-DD (or the format more  commonly  used  in
>> your area).  A user whose account is locked must contact the system 
>>administrator before being able to use the system again.
>>
>>Did you set this?
>>
>>	I am not trying to lock the account. I am trying to force the user
>>to change their password after a certain number of days. You know company
>>rules. What should be happening is the user connects to the system,
> 
> provides
> 
>>their login name and then gets prompted for their password. After they
> 
> enter
> 
>>the password they should get a message that their password has expired and
>>please enter a new one. In other words it would be like they got logged in
>>and received a message to change their password and they entered "passwd".
> 
> 
> You need to set the "-W n" (warn days) option to chage.  In other words,
> to set a user's account to expire on September 1, 2005, and warn them
> for 7 days previous, the chage command would be:
> 
>      # chage -E 2005-09-01 -W 7 username
> 
> 
>>	I assume it is the login program that handles this by what it finds
>>in the shadow file. I have also looked for configuration options for
> 
> login,
> 
>>to try and determine if it should be paying any attention to the aging
>>information in the shadow file. I could not find anything. I have even
>>looked a PAM and found /etc/pam.d/login. But I determined by looking at
> 
> the
> 
>>last accessed time on the file that it was not being accessed when I
> 
> tested
> 
>>logging in. So I am still looking for what controls making the user change
>>their password after some number of days.
> 
> 
> That's the "-M" option.  Here's a form I use a lot and sets the
> following criteria:
> 
>      Disable an account after 60 days of inactivity
>      Allow a user to change passwords whenever they want
>      Force a password change every 30 days
>      Warn the user for 7 days to change their password
> 
> The corresponding chage command is:
> 
>      # chage -I 60 -m 0 -M 30 -W 7 username
> 
> You do know that chage will run in interactive mode if you don't specify
> any options, e.g.
> 
>      # chage username
> 
> =============
> This is the settings for user white3. When I connect I enter the login name
> and then the password and get the shell prompt. It never warns me the
> password will or has expired. So what am I missing? As I asked earlier,
> exactly what program is suppose to be checking the values? I assume login,
> maybe using one of the PAM configuration files.
> 
> Changing the aging information for white3
> Enter the new value, or press ENTER for the default
> 
>         Minimum Password Age [0]: 
>         Maximum Password Age [1]: 
>         Last Password Change (YYYY-MM-DD) [2005-08-15]: 
>         Password Expiration Warning [1]: 
>         Password Inactive [14]: 
>         Account Expiration Date (YYYY-MM-DD) [2005-08-22]:

Ok, it absolutely should work.  Have you run pwck?  Also verify that
/etc/shadow has all the fields filled in.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-   NEWS FLASH! Intelligence of mankind decreasing!  Details at...   -
-     uh, when, uh, the little hand is, uh, on the...  Aw, NUTS!     -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list