[rhn-users] force user to change password on first login

Raj Kumar rajkum2002 at rediffmail.com
Fri Feb 18 15:17:03 UTC 2005 

Hi Mike,

I logged in as user1 today and I did not get any warnings. So "passwd -f user1" does not force the user to change password after 24Hrs. 

Are there any other options to force the user to change their passwords at first logon?

Thank you,
Raj


On Thu, 17 Feb 2005 Raj  Kumar wrote :
>Hello Mike,
>
>Thanks for replying to my posting.
>
>I changed the password for user1 using "passwd -f user1" as root. I logged in successfully without any warnings that user1 password will expire soon. I'll try log in tomorrow as user1 and see if I will get the warning. I may be wrong, but I think I wont get the error/warning message since the password doesn't expire until May 18, 2005
>
>chage  -l user1
>Minimum:        0
>Maximum:        90
>Warning:        7
>Inactive:       -1
>Last Change:            Feb 17, 2005
>Password Expires:       May 18, 2005
>Password Inactive:      Never
>Account Expires:        Never
>
>I was just wondering what meta information will show that user1 will be given warning message after 24hrs.
>
>Thanks again for your help!
>
>Raj
>
>PS: I am sending this email to rhn-users list now... hope this info will be useful to others...
>
>On Wed, 16 Feb 2005 Sullivan,Michael wrote :
> >Hello Raj,
> >
> >You did interpret that correctly.  The user now will be prompted to change
> >their password in 24hrs after first login and the global policy has been
> >applied to the account. (password expiration in 90 days.)
> >
> >--Mike.
> >
> >CONFIDENTIALITY NOTICE:  This email from EDS is for the sole use of the
> >intended recipient and may contain confidential and privileged information.
> >Any unauthorized review or use, including disclosure or distribution is
> >prohibited.  If you are not the intended recipient, please contact the
> >sender and destroy all copies of the email.
> >
> >-----Original Message-----
> > From: Raj Kumar [mailto:rajkum2002 at rediffmail.com]
> >Sent: Wednesday, February 16, 2005 7:55 AM
> >To: Sullivan,Michael
> >Subject: Re: RE: [rhn-users] force user to change password on first login
> >
> >
> >
> >Mike,
> >
> >Thanks for your reply!
> >
> >man passwd:
> >
> >-u    This  is  the  reverse  of  the  -l  option - it will unlock the
> >account password by removing the ! prefix. This option is avail-
> >able  to  root  only.  By default passwd will refuse to create a
> >passwordless account (it will not unlock  an  account  that  has
> >only  "!" as a password). The force option -f will override this
> >protection.
> >
> >It looks like -f is just a "force option". so as root I tried
> >passwd -f user1
> >... entered new password
> >
> >logged in as user1 successfully. The reason I believe the login was
> >successful becoz
> >
> >chage -l user1-- before issuing passwd -f user1
> >
> >Minimum:        0
> >Maximum:        90
> >Warning:        7
> >Inactive:      -1
> >Last Change:            Feb 05, 2005
> >Password Expires:      May 06, 2005
> >Password Inactive:      Never
> >Account Expires:        Never
> >
> >chage -l user1-- after issuing passwd -f user1
> >
> >Minimum:        0
> >Maximum:        90
> >Warning:        7
> >Inactive:      -1
> >Last Change:            Feb 16, 2005
> >Password Expires:      May 17, 2005
> >Password Inactive:      Never
> >Account Expires:        Never
> >
> >---Password Expires:      May 17, 2005
> >Since the password expires on May 17, I was not forced to change the
> >password after log in as user1.
> >
> >Did I interpret it incorrectly?
> >
> >Thanks again for your help!!
> >
> >Raj
> >
> >On Wed, 16 Feb 2005 Sullivan,Michael wrote :
> > >Raj,
> > >
> > >The users account should fall into the system wide policy.  In
> > >etc/login.defs the value for PASS_MAX_DAYS should be set to 90.  Then every
> > >account on the box will expire in the 90 day rotation.  Good practice for
> > >security reasons!!
> > >
> > >You then don't have to account for it in your useradd() script.
> > >
> > >As for forcing the user to change their password at first login, in your
> > >script when you set the users "default" password with passwd(), use the "
> >-f
> > >" option to force a password change on first login.  You can also do some
> > >other "timed" password change options if you know the user isn't going to
> > >login "..right now....but you don't want the account to remain available
> > >for, lets say two weeks...." This is good in the event your always using
> >the
> > >same default password for your new users.  Prevents the "Internal Attacks",
> > >if you know what I mean.
> > >
> > >--Mike.
> > >
> > >
> > >
> > >CONFIDENTIALITY NOTICE:  This email from EDS is for the sole use of the
> > >intended recipient and may contain confidential and privileged information.
> > >Any unauthorized review or use, including disclosure or distribution is
> > >prohibited.  If you are not the intended recipient, please contact the
> > >sender and destroy all copies of the email.
> > >
> > >-----Original Message-----
> > > From: rhn-users-bounces at redhat.com [mailto:rhn-users-bounces at redhat.com]
> >On
> > >Behalf Of Raj Kumar
> > >Sent: Tuesday, February 15, 2005 5:28 PM
> > >To: Red Hat Network Users List
> > >Subject: [rhn-users] force user to change password on first login
> > >
> > >
> > >
> > >Hello,
> > >
> > >We have a script to create users accounts and set some default passwords.
> >We
> > >want to force the user to change their passwords on their first login.
> >After
> > >that, we want to force users to change password for every 90 days. How do I
> > >achieve this?
> > >
> > >chage -M 90 might force the user to change his password after 90 days from
> > >last change. But how do I force the user to change their password on first
> > >login? chage -M 0 ?? But after issuing chage -M 0 when i login using ssh i
> > >get an error message:
> > >
> > >You are required to change your password immediately (password aged)
> > >Your password has expired, the session cannot proceed.
> > >Connection to 192.168.2.4 closed.
> > >
> > >
> > >Thank you!
> > >Raj
> > >
> > >
> > >
> > >
> > >  <http://clients.rediff.com/signature/track_sig.asp>
> > >
> >
> >
> >
> >
> >  <http://clients.rediff.com/signature/track_sig.asp>
> >
>_______________________________________________
>rhn-users mailing list
>rhn-users at redhat.com
>https://www.redhat.com/mailman/listinfo/rhn-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20050218/dd45328d/attachment.htm>

More information about the rhn-users mailing list