[SOLVED] Force change password for users in linux, without terminating the shell session

BhushanPathak · 07-10-2014, 04:06 AM

Hello,

I am using CentOS 6.5 64 bit OS. I used chage command to force users to change their password on next login, for ex -

Code:

chage -d 0 admin

This forced the user to change the password, but terminated the session & the user was required to re-login with the new password.

Is there any way, any other command to avoid the session termination at the end of a successful password change?

Another thing I noted was that this command did not work for root user. The root user was not forced to change password. Anything I am missing here?

Thanks
Bhushan Pathak

looop · 07-10-2014, 05:23 AM

To my knowledge you can't force GOD (root) to do anything, including changing the password.

BhushanPathak · 07-10-2014, 06:12 AM

ok, what about the session termination on successful password change?

looop · 07-10-2014, 06:16 AM

It is a million years since I did IDM and User mangement. So my memory is a little rusty at this subject, so instead of getting your hopes up.
I hope another person will give you an answer to that question

pan64 · 07-10-2014, 06:18 AM

I do not really understand: what do you mean by session termination? Kicking of the root user means reboot. If you want to change the password of root just do that.

looop · 07-10-2014, 06:26 AM

@pan64 - He/she wants to be able to change the password of a normal user, without terminating the users sessions. Then he asked if it was possible to force the root to change password.
Two different questions

pan64 · 07-10-2014, 06:37 AM

see man passwd:

Code:

      -e, --expire
           Immediately expire an account's password. This in effect can force a user to change his/her password at the user's next
           login.

only root can use it. but actually there is no meaning to force myself (root as root) to change password

BhushanPathak · 07-11-2014, 02:16 AM

Anyone about the session termination on successful password change - how to avoid that?

Thanks
Bhushan Pathak

looop · 07-11-2014, 02:49 AM

@BhushanPathak as “pan64 writes see the man page, so what you do as root is:

Code:

passwd -e #username#

So the next time he/she tries to logon to the system they have to change the password, this does not kill the current session

BhushanPathak · 07-11-2014, 03:52 AM

I tried that out. I executed the following as root -

Code:

# passwd -e admin
Expiring password for user admin.
passwd: Success

I then opened a new SSH session & logged in as admin user, but I was not forced to change my password.

pan64 · 07-11-2014, 03:55 AM

how did you try that? With passwordless login?

BhushanPathak · 07-11-2014, 03:59 AM

Nope, I provided username & old password for admin user, but was not prompted for changing the password, like in the case when chage command is used.

pan64 · 07-11-2014, 04:01 AM

what is the user id of admin?
what is in /etc/nsswitch.conf?

BhushanPathak · 07-11-2014, 04:10 AM

Following are the details -

Code:

# id admin
uid=783(admin) gid=783(admin) groups=783(admin)


# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files
shadow:     files
group:      files

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

jguillem · 02-20-2018, 04:30 AM

Same here.
In my case I'm using LDAP authentification.
When the parameter shadowLastChange is zero or less, the user is forced to change the password during the first autentication.
The problem is: one time the authentication is made and the user has changed his passwd, the session closes with the error "password change failed: Invalid credentials".
However, the password is changed and in the next login the new passwd works correctly.

ssh lguillem@127.0.0.1
lguillem@127.0.0.1's password:
You are required to change your password immediately (root enforced)
need a new password
Last login: Fri Feb 16 13:23:15 2018 from gateway
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user lguillem.
(current) LDAP Password:
New password:
Retype new password:
password change failed: Invalid credentials
passwd: all authentication tokens updated successfully.
Connection to 127.0.0.1 closed.