To setup this there are various ways, but I believe one of the very simplest one is the one I am going to explain below.
For ex: You created a new user “fake”:
# useradd fake
Create password for the user
# passwd fake
Changing password for user foo.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
Changing password for user foo.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
Then to force the user to change the password at the first login, simply set the password to expiry:
#chage -d 0 foo
This command will set the password to expiry and will force user to change their password at the next login.
Setting it default for all new Users:
A system admin is one which who can do
the work but a efficient system admin is the one who do the work
manually first time and then make computer to work for him next time for
same task. Same thing is true over here. You want all the new users
added to your system, to be forced to change their password at the first
login, update this file
#vi /etc/default/useradd
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=0 #(need to add zero "0")
SHELL=/bin/bash
SKEL=/etc/skel
GROUPS=video
CREATE_MAIL_SPOOL=no
UMASK=022
HOME=/home
INACTIVE=-1
EXPIRE=0 #(need to add zero "0")
SHELL=/bin/bash
SKEL=/etc/skel
GROUPS=video
CREATE_MAIL_SPOOL=no
UMASK=022
This file contains the details, what all settings will be applied to the new users created into the system with useradd command.
Just set the value of EXPIRE=0 in this
file, and after that, every time when a new user will be created, they
will be forced to change the password at the next login.
password duration:
for new accounts default settings are in /etc/login.defs
settings for current accounts are in /etc/shadow but we edit by command chage
chage -l [user] #check settings for user
chage -E "YYYY-MM-DD" [user] #set date when account expire, -1 means never
chage -M [nr] [user] #set maximum number of days between password change from last password change, -1 means never expire
chage -d "YYYY-MM-DD" [user] #set last password change
chage -W [nr] [user] #number of days of warning before password expires
chage -i [nr] [user] #set password inactive, when account is blocked after password expire
password duration:
for new accounts default settings are in /etc/login.defs
settings for current accounts are in /etc/shadow but we edit by command chage
chage -l [user] #check settings for user
chage -E "YYYY-MM-DD" [user] #set date when account expire, -1 means never
chage -M [nr] [user] #set maximum number of days between password change from last password change, -1 means never expire
chage -d "YYYY-MM-DD" [user] #set last password change
chage -W [nr] [user] #number of days of warning before password expires
chage -i [nr] [user] #set password inactive, when account is blocked after password expire