View Single Post
  #3   (View Single Post)  
Old 23rd June 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Default

I can't speak to the ability to do this on CentOS or any other Linux for that matter, but as promised, I'm going to show you how to quickly and easily force a password change on your users of your FreeBSD system.

Let's say you just came across this guide, and you set up your password requirements. Great! But doing this won't require your users to change their passwords to be compliant. So how would you go about doing this?

The quick and easy way is to set the "change" date on the user's password. There are a few different ways to do this, and I'll touch on each way.

The first way is by using the chsh command. The syntax is:

Code:
# chsh <username>
This will bring up vi, or whatever root's editor is. Here's an example output from my system:

Code:
Changing user information for testuser.
Login: testuser
Password: (REMOVED)
Uid [#]: 10002
Gid [# or name]: 9999
Change [month day year]:
Expire [month day year]:
Class: default
Home directory: /home/testuser
Shell: /usr/local/bin/bash
Full Name: Test User
Office Location:
Office Phone:
Home Phone:
Other information:
Once in this editor, you can type the date in the "Change" field. Honestly I'm not sure of the different formats accepted in this field, but I generally use the numerical version of month (with leading "0" if necessary), same for day, and four digit year. Use ":wq" to save and leave vi, and the next time the user is logged in, he will be informed that his password has expired, and he will have to select a new password using the rules you set up above.

Now, the other option is to use FreeBSD's "pw" command. The syntax is:

Code:
# pw usermod -p 23-Jun-2008 <username>
From the manpage:

Code:
<excerpt>
     -e date       Set the account's expiration date.  Format of the date is
                   either a UNIX time in decimal, or a date in `dd-mmm-yy[yy]'
                   format, where dd is the day, mmm is the month, either in
                   numeric or alphabetic format ('Jan', 'Feb', etc) and year
                   is either a two or four digit year.  This option also
                   accepts a relative date in the form `+n[mhdwoy]' where `n'
                   is a decimal, octal (leading 0) or hexadecimal (leading 0x)
                   digit followed by the number of Minutes, Hours, Days,
                   Weeks, Months or Years from the current date at which the
                   expiration date is to be set.

     -p date       Set the account's password expiration date.  This field is
                   similar to the account expiration date option, except that
                   it applies to forced password changes.  This is set in the
                   same manner as the -e option.
</excerpt>
I included the "-e" because it's referenced by "-p". Basically by using "pw" you're doing the same thing. There's just more than one way to do it

Now, that is all well and good, but what if your users never log out? In the real world, this may actually never be possible (dropped network connections, etc), however I thought I'd throw in this little extra tidbit: Forcing a logout on one of your users.

It's quite simple really:

Code:
# pkill -KILL -u <username>
This will log out the user you enter in <username>. And the next time they log in, they'll be forced to change their password.

Comments/fixes/concerns/questions/etc are of course welcome
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote