3

I want to make it so that every time anyone creates a new user on my system that user will be forced to set a password during their first login. I can't find anything in /etc/login.defs that will do it. I also tried to find something in /etc/pam.d and was unsuccessful. Essentially I want any new user to have an expired password without needing someone to chage -d 0 or passwd -e.

Is there a parameter for useradd that I can set the password age to expired so that I could make an alias or a wrapper for useradd? Or would I have to make an alias for useradd with chage -d 0 after it?

I'm not a sys admin, we ship RHEL with our product and I've been tasked to change our default security settings. Any useful suggestions greatly appreciated.

Sinc
  • 173
  • 7
  • 6
    http://unix.stackexchange.com/questions/173708/how-do-i-force-a-user-to-change-a-password-at-the-first-time-login-using-ssh – Guido Apr 29 '16 at 21:12
  • 1
    The difference between that and this is that I want to not just set one user's password expired, I want to ensure that if a new user is created in the future the user will be forced to change the password immediately. It's not a question of now, but how do I make an expired password the default for all new users? – Sinc Apr 29 '16 at 21:56
  • 1
    You could write a wrapper around `adduser`/`useradd` and `passwd`/`chage` to do this for you. – roaima Apr 29 '16 at 22:36
  • 1
    This question is not a duplicate of the indicated question. – Ben Aveling Apr 03 '18 at 13:05
  • Correct @BenAveling. But sometimes you just can't get everyone to read the questions accurately. It turned out we block useradd for non-root users and have a shell for customers to add new users. Adding chage -1 to that script was trivial. If only they had told me about that script before I posted! – Sinc Apr 03 '18 at 21:31

1 Answers1

2

You can to do it using passwd's -e option after creating the account. useradd has -e option for expiring a user account, not password.

From man passwd:

-e, --expire

Immediately expire an account's password. This in effect can force a user to change his/her password at the user's next login.

Community
  • 1
heemayl
  • 54,820
  • 8
  • 124
  • 141