Linux – Turn off password expiration after user changes password (Linux)

emaillinux

One of my e-mail servers uses unix system accounts for user login.
Because I didn't set up any complex password policies (our users, including management staff, don't like complicated passwords), one of the accounts, that had a dictionary 6 letter pasword, was hacked and a few thousand spams were sent. So, naturally, our IP ended up in 3 RBLs.
After talking with the management, we decided that it was time to increase password complexity requirements. (minimum 8 characters, upper case, lower case, numbers, etc)

Now, here is the problem. How to make sure that all our users really change the password without having to check the logs, chage command output, etc?
The best solution I could think of, was to set a 10 day password expiration for all users and then send a mass email to everyone, telling them that if they don't change their password, after 10 days they won't be able to login.

So I started doing tests, to see if this was a viable solution and I encountered a problem that I should have foreseen:
Even though I set the password expiration to 10 days (chage -M 10 user), after changing the password, the expiration date remained the same, instead of returning to "never".

Is there some way of turning off password expiration after the user has changed it's password? (Users can change their password via the webmail interface, using a script based on chpasswd command).

Best Answer

I would try to combine chage -M and -d options.

-M

Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current day, the user will be required to change his/her password before being able to use his/her account.

-d

Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format YYYY-MM-DD.

So given these options, decide how often you want your passwords to expire. Obviously you don't want them to expire every 10 days, so -M option should be set to a higher value.

To make your users change their passwords in next 10 days, set the -d (LAST_DAY) option to the value so that LAST_DAY + MAX_DAYS == TODAY + 10 DAYS.

This trick will allow you to make the password expiration date approach faster. Once the password is changed, next expiration date will be set based on the value specified with the -M option.

Related Solutions

Linux – How to automatically notify users of expiring passwords

See if this does what you're looking for. You can set the warning time using the chage command or passwd -w:

#!/bin/bash

# notifypwexp - send mail to users whose passwords are expiring soon
# designed to be run daily or weekly from cron

# call with -w for weekly mode (checks to see if warning period begins in the next 7 days
# use -w for a weekly cron job, avoiding excessive emails

# with no option, it only checks whether we're in the warning period now
# use this for a daily cron job

# by Dennis Williamson

# ### SETUP ###

if [[ $1 == "-w" ]] # check for expiration warnings beginning during the next seven days
then
    weekmode=7
else
    weekmode=0
fi

admins="root postmaster"
declare -r aged=21 # minimum days after expiration before admins are emailed, set to 0 for "always"

hostname=$(hostname --fqdn)

# /etc/shadow is system dependent
shadowfile="/etc/shadow"
# fields in /etc/shadow
declare -r last=2
#declare -r may=3 # not used in this script
declare -r must=4
declare -r warn=5
#declare -r grace=6 # not used in this script
declare -r disable=7

declare -r doesntmust=99999
declare -r warndefault=7

passwdfile="/etc/passwd"
declare -r uidfield=3
declare -r unamefield=1
# UID range is system dependent
declare -r uidmin=1000
declare -r uidmax=65534 # exclusive

# remove the hardcoded path from these progs to use them via $PATH
# mailx is system dependent
notifyprog="/bin/mailx"
grepprog="/bin/grep"
awkprog="/usr/bin/awk"
dateprog="/bin/date"

# comment out one of these
#useUTC=""
useUTC="-u"

# +%s is a GNUism - set it to blank and use dateformat if you have
# a system that uses something else like epochdays, for example
epochseconds="+%s"
dateformat=""   # blank for GNU when epochseconds="+%s"
secondsperday=86400 # set this to 1 for no division

today=$(($($dateprog $useUTC $epochseconds $dateformat)/$secondsperday))
oIFS=$IFS

# ### END SETUP ###

# ### MAIL TEMPLATES ###

# use single quotes around templates, backslash escapes and substitutions 
# will be evaluated upon output
usersubjecttemplate='Your password is expiring soon'
userbodytemplate='Your password on $hostname expires in $(($expdate - $today)) days.

Please contact the IT department by email at \"helpdesk\" or at 
extension 555 if you have any questions. Help is also available at 
http://helpdesk.example.com/password'

adminsubjecttemplate='User Password Expired: $user@$hostname'
adminbodytemplate='The password for user $user on $hostname expired $age days ago.

Please contact this user about their inactive account and consider whether
the account should be disabled or deleted.'

# ### END MAIL TEMPLATES ###

# get real users
users=$($awkprog -F:    -v uidfield=$uidfield \
            -v unamefield=$unamefield \
            -v uidmin=$uidmin \
            -v uidmax=$uidmax \
            -- '$uidfield>=uidmin && $uidfield<uidmax \
                {print $unamefield}' $passwdfile)

for user in $users;
do

    IFS=":"
    usershadow=$($grepprog ^$user $shadowfile)

    # make an array out of it
    usershadow=($usershadow)
    IFS=$oIFS

    mustchange=${usershadow[$must]}
    disabledate=${usershadow[$disable]:-$doesntmust}

    # skip users that aren't expiring or that are disabled
    if [[ $mustchange -ge $doesntmust || $disabledate -le $today  ]] ; then continue; fi;

    lastchange=${usershadow[$last]}
    warndays=${usershadow[$warn]:-$warndefault}
    expdate=$(($lastchange + $mustchange))

    threshhold=$(($today + $warndays + $weekmode))

    if [[ $expdate -lt $threshhold ]];
    then
        if [[ $expdate -ge $today ]];
        then
            subject=$(eval "echo \"$usersubjecttemplate\"")
            body=$(eval "echo \"$userbodytemplate\"")
            echo -e "$body" | $notifyprog -s "$subject" $user 
        else
            if [[ $age -ge $aged ]];
            then
                subject=$(eval "echo \"$adminsubjecttemplate\"")
                body=$(eval "echo \"$adminbodytemplate\"")
                echo -e "$body" | $notifyprog -s "$subject" $admins
            fi
        fi
    fi

done

Linux – Why is a linux account not accepting old password after changing password expiration to “never” using chage

The password expiration setting only affects the future, it cannot change the past. Once a password has expired, it has expired. You can't change the fact that this has already happened.

Best Answer

Related Solutions

Linux – How to automatically notify users of expiring passwords

Linux – Why is a linux account not accepting old password after changing password expiration to “never” using chage

Related Topic