Original question:
Our Unix computer is Digital Unix 4.0E.
I found many users on our computer do not change their password yet.
I want to force them to change their password.
How can I do it?
Should I write a few line script in the initialization file (/etc/profile)?
Some things like:
"if passwd ==12345678 then call passwd"
Please help!
Answer:
1. If you install C2, you can choose the option of "Force password change at
next login"
2. You can expire users password by:
a) Using the dxaccounts graphical user interface
b) Download the zuausr utilities (search the unix-managers listserv for
information)
3. You need to get a copy of 'Essential System Administration' from O'Reilly
Associates. ISBN # 1-56592-127-5.
4. Add the following to /usr/skel/.profile (and equiv to /usr/skel/.login):
----- snip ----- snip ----- snip ----- snip ----- snip -----
#
# Setup initial password change
#
if [ -x $HOME/.xxyyzz ]; then
$HOME/.xxyyzz
fi
----- snip ----- snip ----- snip ----- snip ----- snip -----
Then create a file called .xxyyzz (owned by bin.bin w/ 500 or
550 permissions):
----- snip ----- snip ----- snip ----- snip ----- snip -----
#!/bin/sh
#
# Script to perform user's initial password change
#
echo
#
# Loop until it's done
#
until /usr/bin/passwd; do
echo
echo "Please try again..."
done
#
# Thank the user and clean up
#
echo
echo Thank you
rm $HOME/.xxyyzz
#
# EOF
----- snip ----- snip ----- snip ----- snip ----- snip -----
I don't bother trapping signals, you might want to. If the
user is bright enough to try to defeat the system, they are
bright enough to understand the message I send them when
they have failed to change their password and I lock the
account.
Please make SURE that the .xxyyzz scipt is NOT world writable
or writable by normal users on the system (same as all the
other startup files in /usr/skel). A malicious user could
modify these files to do some nasty things every time a
new user logs in.
5. If you are using enhanced security, then you can set u_psw_change_reqd
for
the users you want to force password changes for.
See man prpasswd for details on that flag.
6. I wrote a special "new user's shell" for this purpose. When I
make a new account, I give them this shell (which I install at
/local/bin/nush). This shell does not let them do anything except
change their password. Once the password is changed, this shell
resets to /usr/bin/csh (or whatever you want) and they can login
and do regular work.
You can get my source code via anonymous ftp to pangea.stanford.edu
at /pub/farrell/nush.shar
Put the nush.shar archive in some temporary directory and unpack it.
It is a self-extracting shell archive. Just run the command "sh nush.shar".
You will get a C program and an on-line manual entry. Install the
"nush.8" on-line manual entry in /usr/share/man/man8 or
/usr/local/man/man8 if you have this separate directory for
local manual pages. Then you can use "man nush" to read about how
it works. Compile the C program nush.c - there is a sample "cc"
command in the comments at the top of the file. I put it at
/usr/local/bin/nush. You must also create a text file that it will
display when the user logs in, and add this shell to the
/etc/shells file. See the nush.8 manual page. I don't know which
program you use to make accounts (I use a locally written program,
not one of the ones supplied by DEC). But it must have an option
somewhere to specify which shell to use when you make the account.
At that point, enter /usr/local/bin/nush. Or, you can simply
edit the /etc/passwd file after you have made the account (use
the "vipw" program with no arguments) to change the shell to
/usr/local/bin/nush. This all assumes that you have basic security
(not extended) and are not using NIS. I don't know if my program
will work with the extended security, and it definitely does NOT
work with NIS.
Thanks to:
John Losey
Harris, Rod
Mark T. Logan
Michael Bucholtz
Rochelle Lauer, Yale Univ Physics
Rogers, Guy
Tom Webster
John P Speno
Phil Farrell
++++++++++++++++++++++++++++++++++++++++++
Hongya Zu
Research Information Service
Children's Research Institute
700 Children's Drive
Columbus, OH 43205
Phone: (614) 722-2914
Fax: (614) 722-2716
Email: zuh_at_pediatrics.ohio-state.edu
+++++++++++++++++++++++++++++++++++++++++
Received on Fri Mar 17 2000 - 19:46:11 NZDT