I can't speak to the ability to do this on CentOS or any other Linux for that matter, but as promised, I'm going to show you how to quickly and easily force a password change on your users of your FreeBSD system.
Let's say you just came across this guide, and you set up your password requirements. Great! But doing this won't require your users to change their passwords to be compliant. So how would you go about doing this?
The quick and easy way is to set the "change" date on the user's password. There are a few different ways to do this, and I'll touch on each way.
The first way is by using the chsh command. The syntax is:
This will bring up vi, or whatever root's editor is. Here's an example output from my system:
Code:
Changing user information for testuser.
Login: testuser
Password: (REMOVED)
Uid [#]: 10002
Gid [# or name]: 9999
Change [month day year]:
Expire [month day year]:
Class: default
Home directory: /home/testuser
Shell: /usr/local/bin/bash
Full Name: Test User
Office Location:
Office Phone:
Home Phone:
Other information:
Once in this editor, you can type the date in the "Change" field. Honestly I'm not sure of the different formats accepted in this field, but I generally use the numerical version of month (with leading "0" if necessary), same for day, and four digit year. Use ":wq" to save and leave vi, and the next time the user is logged in, he will be informed that his password has expired, and he will have to select a new password using the rules you set up above.
Now, the other option is to use FreeBSD's "pw" command. The syntax is:
Code:
# pw usermod -p 23-Jun-2008 <username>
From the manpage:
Code:
<excerpt>
-e date Set the account's expiration date. Format of the date is
either a UNIX time in decimal, or a date in `dd-mmm-yy[yy]'
format, where dd is the day, mmm is the month, either in
numeric or alphabetic format ('Jan', 'Feb', etc) and year
is either a two or four digit year. This option also
accepts a relative date in the form `+n[mhdwoy]' where `n'
is a decimal, octal (leading 0) or hexadecimal (leading 0x)
digit followed by the number of Minutes, Hours, Days,
Weeks, Months or Years from the current date at which the
expiration date is to be set.
-p date Set the account's password expiration date. This field is
similar to the account expiration date option, except that
it applies to forced password changes. This is set in the
same manner as the -e option.
</excerpt>
I included the "-e" because it's referenced by "-p". Basically by using "pw" you're doing the same thing. There's just more than one way to do it
Now, that is all well and good, but what if your users never log out? In the real world, this may actually never be possible (dropped network connections, etc), however I thought I'd throw in this little extra tidbit: Forcing a logout on one of your users.
It's quite simple really:
Code:
# pkill -KILL -u <username>
This will log out the user you enter in <username>. And the next time they log in, they'll be forced to change their password.
Comments/fixes/concerns/questions/etc are of course welcome