Forcing new users to change their password on first login?

To: debian-edu@lists.debian.org
Subject: Forcing new users to change their password on first login?
From: Petter Reinholdtsen <pere@hungry.com>
Date: Sun, 02 May 2010 13:43:47 +0200
Message-id: <[🔎] 2fl4oiqr0jw.fsf@login2.uio.no>

One interesting feature in Active Directory, is the ability to create
a new user with an expired password, and thus force the user to change
the password on the first login attempt.

I'm not quite sure how to do that with the LDAP setup in Debian Edu,
but did some initial testing with a local account.  The account and
password aging information is available in /etc/shadow, but
unfortunately, it is not possible to specify an expiration time for
passwords, only a maximum age for passwords.

A freshly created account (using adduser test) will have these
settings in /etc/shadow:

  root@tjener:~# chage -l test
  Last password change                                    : May 02, 2010
  Password expires                                        : never
  Password inactive                                       : never
  Account expires                                         : never
  Minimum number of days between password change          : 0
  Maximum number of days between password change          : 99999
  Number of days of warning before password expires       : 7
  root@tjener:~#

The only way I could come up with to create a user with an expired
account, is to change the date of the last password change to the
lowest value possible (January 1th 1970), and the maximum password age
to the difference in days between that date and today.  To make it
simple, I went for 30 years and January 2th (to avoid testing if 0 is
a valid value).

After using these commands to set it up, it seem to work as intended:

  root@tjener:~# chage -d 1 test; chage -M 10950 test
  root@tjener:~# chage -l test2
  Last password change                                    : Jan 02, 1970
  Password expires                                        : never
  Password inactive                                       : never
  Account expires                                         : never
  Minimum number of days between password change          : 0
  Maximum number of days between password change          : 10950
  Number of days of warning before password expires       : 7
  root@tjener:~#  

So far I have tested this with ssh and console, and kdm (in Squeeze)
login, and all ask for a new password before login in the user (with
ssh, I was thrown out and had to log in again).

Perhaps we should set up something similar for Debian Edu, to make
sure only the user itself have the account password?

Happy hacking,
-- 
Petter Reinholdtsen

Reply to:

Follow-Ups:
- Re: Forcing new users to change their password on first login?
  - From: Jim Paris <jim@jtan.com>
- Re: Forcing new users to change their password on first login?
  - From: Nigel Barker <tech@hiroshima-is.ac.jp>
- Re: Forcing new users to change their password on first login?
  - From: Finn-Arne Johansen <faj@bzz.no>

Prev by Date: Processed: Re: squeeze: use libpam-ldapd instead of libpam-ldap
Next by Date: Re: Bug#489754: please use Choices-C in templates where appropriate
Previous by thread: Processed: Re: squeeze: use libpam-ldapd instead of libpam-ldap
Next by thread: Re: Forcing new users to change their password on first login?
Index(es):
- Date
- Thread