Wed 5 Mar 2008
Passsword aging in Linux
Posted by asxinu under Admin, linux
No Comments
At least on HP-UX and Solaris, when you create a user and give them a password, you can use the command “passwd -f username” to force the user to change their password on initaly login. Linux on the other hand does not have this feature although after searching around, it appears that you can do this but with multiple steps. I’ve pulled this directly from a centos online manual: http://www.linuxtopia.org/online_books/centos_linux_guides/centos_enterprise_linux_sysadmin_guide/s1-users-cmd-line.html
If a system administrator wants a user to set a password the first time the user log in, the user’s initial or null password can be set to expire immediately, forcing the user to change it immediately after logging in for the first time.
To force a user to configure a password the first time the user logs in at the console, follow these steps. Note, this process does not work if the user logs in using the SSH protocol.
- Lock the user’s password — If the user does not exist, use the useradd command to create the user account, but do not give it a password so that it remains locked.If the password is already enabled, lock it with the command:
usermod -L username
- Force immediate password expiration — Type the following command:
chage -d 0 username
This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
- Unlock the account — There are two common approaches to this step. The administrator can assign an initial password or assign a null password.
Warning Do not use the passwd command to set the password as it disables the immediate password expiration just configured. To assign an initial password, use the following steps:
- Start the command line Python interpreter with the python command. It displays the following:
Python 2.2.2 (#1, Dec 10 2002, 09:57:09) [GCC 3.2.1 20021207 (Red Hat Enterprise Linux 4 3.2.1-2)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>>
- At the prompt, type the following (replacing password with the password to encrypt and salt with a combination of exactly 2 upper or lower case alphabetic characters, digits, the dot (.) character, or the slash (/) character such as ab or 12):
import crypt; print crypt.crypt("password","salt")The output is the encrypted password, similar to 12CsGd8FRcMSM.
- Type [Ctrl]-[D] to exit the Python interpreter.
- Cut and paste the exact encrypted password output, without a leading or trailing blank space, into the following command:
usermod -p "encrypted-password" username
Instead of assigning an initial password, a null password can be assigned using the following command:
usermod -p "" username
Caution While using a null password is convenient for both the user and the administrator, there is a slight risk that a third party can log in first and access the system. To minimize this threat, it is recommended that the administrator verifies that the user is ready to log in when the account is unlocked. In either case, upon initial log in, the user is prompted for a new password.
- Start the command line Python interpreter with the python command. It displays the following:
