I was going to post my way of forcing (new) users to change their password, but unfortunatly canjunman beat me to it. I will post it anyway, since I have a few nice extras
Also, while writing this, I have found the reason why I also had the pam_passwdqc line in /etc/pam.d/sshd and not just in /etc/pam.d/passwd (see the forum thread anomie referred to). More about that below!
Okay, so let's start with some basics:
* your basic forced password change:
Like canjunman said, this is easiest with
pw(8).
Code:
pw usermod <user> -p 0-0-0
Notice that I use 0-0-0 as date here, an easy to remember 'date' that will always be in the past
* what if a user forgot his password and you want to email him a new one?
You can quickly set a new random password, that will expire at first login, with:
Code:
pw usermod <user> -p 0-0-0 -w random
Making it (relatively) safe to email it to him. If anyone retrieves the email later on, chances are, the password has already changed.
But how can you easily make all this apply to a new user? That's where /etc/adduser.conf comes into play! Let's set it up so
adduser(8) creates a user with a random, expired password by default!
First run
At these questions, chose these defaults:
Use password-based authentication? yes
Use an empty password? no
Use a random password? yes
After all questions are answered you will be asked to confirm the default setup, review and say 'yes'. Your changes will be saved in /etc/adduser.conf
Next up, open /etc/adduser.conf - yes this has to be done manually - and add the line:
Now create a test user with
adduser(8) and check it out! (you can remove the user afterwards with rmuser)
One thing you might notice is that, when logging in the first time via ssh you are indeed forced to change your password, but no quality check is performed on it! That's why you also need the pam_passwdqc line in /etc/pam.d/sshd! Put it in so the last lines look like this:
Code:
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password requisite pam_passwdqc.so enforce=everyone min=disabled,8,8,8,8
password required pam_unix.so no_warn try_first_pass
I dont know why putting it in /etc/pam.d/passwd alone is not enough. If anyone can explain, please do!
VoilĂ*, that's it!