Is there a way to create an account with pre-expired password so that when a user logs in for the first time they are forced to change their password? Other *IXs does this with no problem.
SSH is the only accepted login method for my systems. Telnet is verboten.
When I do "chage -d 0 ", and try to ssh into the box, it says I am required to change my password immediately, states my password has expired, and logs me out.
Is there a way with "chage" or with PAM modules to create accounts with pre-expired passwords?
In HP-UX passwd -f will force a user to change password on next login.
Seems it doesn't work the same on Linux.
passwd -l locks the account.
My Red Hat boxes don't have a change command at all.
The passwd man page might provide you an actual solution to this question.
SEP
Steven E Protter Owner of ISN Corporation http://isnamerica.com http://hpuxconsulting.com Sponsor: http://hpux.ws Twitter: http://twitter.com/hpuxlinux Founder http://newdatacloud.com
Yeah, it's pretty strange that I can't find anything on this when it's a pretty simple thing I want to do. The command to change the age of passwords is "chage", minus the the "n". But this torments SSH when you "chage -d 0" with SSH, so I figured there would be a PAM option for this.
I think you will find that after turning off privilege separation in sshd_config (UsePrivilegeSeparation no), sshd proceeds with password change (verifies current password and prompts for a new password).
With privilege separation turned on the following error appears in /var/log/secure (this is on FC2 system).
Nov 3 17:29:26 csspc sshd[32077]: fatal: Password changing is currently unsupported with privilege separation
Please note that disabling privilege separation has some security implications.
That did the trick by setting the option in sshd_config to "no". Works like a champ! Luckily, these aren't internet facing boxes, and I'll make a note of not disabling this on critical systems.
