On OpenBSD 5.6 I need to provision a number of user accounts with default passwords. I would like users, upon their first SSH login, to be forced to change their passwords from the default.
On CentOS and Debian I can do this using chage -d 0 $username
.
It appears from the login.conf manual that I should be able to accomplish the same thing on OpenBSD with something like:
usermod -f 1 $username
orusermod -f "Jan 1 2015" $username
Setting it that way does prompt the appropriate change in userinfo $username
, but logging in as $username via SSH does not actually enforce a password change – it opens the shell quite happily, oblivious to the password having been marked inactive above.
Some posts from 2000 talk through writing a wrapper login shell to force a password change. That said, given the obvious scaffolding in usermod
and chpass
, it seems that this is built-in, but not documented as widely as the Linux equivalents.
Can a BSD pro shed some light on the conventional approach to this?
Best Answer
According to
login.conf (5)
, the default grace period for an expired (aka "dead") password is 0. Unless that value is set in/etc/login.conf
, a user cannot login to change her password if the current system date is greater than the 6th field of a user's password entry in/etc/master.passwd
- refer topasswd (5)
.To solve the problem you will need to specify a date formatted in number of seconds since the epoch that falls within your grace period of choice, e.g. 2 weeks, which you will also configure in
/etc/login.conf
. To manually pick a password expiration time of yesterday we can use:And then plug that value into field #6 in
/etc/master.passwd
by usingvipw
. The relevant line will then look something like this:Running usermod like you indicated (
usermod -f "May 17 2016" user
) will do essentially the same thing, but in both cases/etc/login.conf
must also be changed by appending the following to thedefault:\
or relevant section for your class of user:The first line allows a grace period of two weeks for the user to change her password; the second line will issue warnings that a user's password is scheduled to expire. If expired, your users will see something like the following:
You can also configure
:passwordtime=7776000:
in/etc/login.conf
to enforce an additional password change every 90 days. Note that if you require additional checks on users' password complexity, like forbidding password reuse, you should install and configurepasswordqc
from packages, or another password checker program.