We mostly use AIX (IBM's flavor of Unix) at work, and there's one thing about the password that I'm used to that I'm trying to figure out how to get PAM to do.
When the password is set by root, the next time the user logs in, they are forced to change it.
I've tried to duplicate this functionality with PAM, but I can't figure it out.
Looking at "man 5 shadow", it
looks like all you would need to do is set the 5th field, "days after which password must be changed" to 0, but that doesn't work.
I've tried several variations on that (adjusting the "number of days since password was last changed" and other fields, and so far I get one of two results:
- The password routine accepts the password, but just logs me in. It doesn't ask for a new password.
- The password routine appears to accept the password, but immediately ends the session.
I'm looking for either of two things here:
A) An explanation of how the fields in /etc/shadow actually work, with an example of how to do what I'm talking about (or which pam module to use with whichever options are appropriate). (Please don't point me to any of the man pages or the Linux-PAM System Administrator's guide - I've read those, and they didn't help.)
B) A command for setting the parameters on a userid that says things like how long the password is good for, whether a password must be changed, etc. (I don't really care about the internal guts of PAM, shadow, etc., I just want to use this functionality. At this point, I'm assuming I'll need to learn that to be able to do what I want, but if there's a pre-canned solution, I'll take it happily.
Thanks for any help you can give.