View Single Post
  #4   (View Single Post)  
Old 24th June 2008
hopla hopla is offline
New User
 
Join Date: May 2008
Posts: 8
Default

I was going to post my way of forcing (new) users to change their password, but unfortunatly canjunman beat me to it. I will post it anyway, since I have a few nice extras

Also, while writing this, I have found the reason why I also had the pam_passwdqc line in /etc/pam.d/sshd and not just in /etc/pam.d/passwd (see the forum thread anomie referred to). More about that below!

Okay, so let's start with some basics:

* your basic forced password change:

Like canjunman said, this is easiest with pw(8).
Code:
pw usermod <user> -p 0-0-0
Notice that I use 0-0-0 as date here, an easy to remember 'date' that will always be in the past

* what if a user forgot his password and you want to email him a new one?

You can quickly set a new random password, that will expire at first login, with:
Code:
pw usermod <user> -p 0-0-0 -w random
Making it (relatively) safe to email it to him. If anyone retrieves the email later on, chances are, the password has already changed.


But how can you easily make all this apply to a new user? That's where /etc/adduser.conf comes into play! Let's set it up so adduser(8) creates a user with a random, expired password by default!

First run
Code:
adduser -C
At these questions, chose these defaults:

Use password-based authentication? yes
Use an empty password? no
Use a random password? yes

After all questions are answered you will be asked to confirm the default setup, review and say 'yes'. Your changes will be saved in /etc/adduser.conf

Next up, open /etc/adduser.conf - yes this has to be done manually - and add the line:
Code:
upwexpire=0-0-0
Now create a test user with adduser(8) and check it out! (you can remove the user afterwards with rmuser)

One thing you might notice is that, when logging in the first time via ssh you are indeed forced to change your password, but no quality check is performed on it! That's why you also need the pam_passwdqc line in /etc/pam.d/sshd! Put it in so the last lines look like this:

Code:
# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        requisite       pam_passwdqc.so         enforce=everyone min=disabled,8,8,8,8
password        required        pam_unix.so             no_warn try_first_pass
I dont know why putting it in /etc/pam.d/passwd alone is not enough. If anyone can explain, please do!

VoilĂ*, that's it!
Reply With Quote