Password Expiration Policy

bspicer · 04-12-2005, 10:11 AM

I currently have about 60 users in RedHat and our passwords do not change at all. I would like to have unix make each user change their password every 90 days. I made this change in etc/login.defs but read that this only affects newly created accounts.

Is there away to globally set each account so their password expires in 90 days?

Thanks.

Bill

Crashed_Again · 04-12-2005, 10:16 AM

I think you need to use passwd:

http://unixhelp.ed.ac.uk/CGI/man-cgi?passwd

if the user's account supports password lifetimes.

bspicer · 04-12-2005, 10:31 AM

Forgive me I'm still a newbie.

Will passwd work with many users at once like passwd -x 90 *
or maybe pipe a list of users to it.

Also what do you mean by if users account supporst password lifetimes.
The password expiration check box is unchecked for each user in user manager.
thanks.

bspicer · 04-12-2005, 10:49 AM

We also don't have any password routine in our .bash_profile. Not sure what we wold need in there.

Tinkster · 04-12-2005, 04:45 PM

No, passwd won't accept multiple accounts (wildcards).

A work-around would be something like (untested)

Code:

awk -F: '{ if($3 >= 500) print $1}' /etc/passwd | xargs -i passwd -x 90 {}

And what do you mean with the .bash_profile password routine?

Cheers,
Tink

bspicer · 04-13-2005, 09:03 AM

Doesn't .bash_profile need something to check password expiration or does that happen automatically when logging in?

Tinkster · 04-13-2005, 01:21 PM

Yep, password expiry is something checked by the
program login, not bash.

Cheers,
Tink

Oupa · 05-12-2007, 03:26 AM

Tinkster idea works well.
I doubt whether the auditors would approve of 90 days, I know when we were audited they thought my 30 days was excessive. Oupa.