I'm trying to configure users password policy on RHEL 6.6 and I want system to ask newly created users to change initial password on first login.
Note, that I tried to set EXPIRE variable to 0 and INACTIVE to -1 in /etc/default/useradd, but it leads to new user account expiration after creation. Output of chage command after user creation with these variables is:
# chage -l foo
Last password change : Feb 22, 2015
Password expires : May 23, 2015
Password inactive : never
Account expires : Feb 22, 2015
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
When I try to login under foo user, message "Your account has expired. Please contact your system administrator" is shown.
But if I open 'User Properties' window, select 'Password Info' tab and check 'Force password change on next login', the result will be what I expect. New user will be asked to change password. Output of chage command in this case will be:
# chage -l foo2
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
When I login under foo2 user, system asks me to change password.
So, is there any way to configure system to set user account parameters on creation as in second case?
Upd
cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=0
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
Even if I comment INACTIVE or set it to positive value, account is expired, but not a password.
Also, I configured PAM on machine.
Upd 2
I checked this on machine with RHEL 6.2 and without PAM configuration. Effect is the same.
Best Answer
Since you're asking about RHEL6, I looked at the source code for useradd (which is delivered as part of the 'shadow' package). In useradd.c is a function called new_spent where it sets up a new shadow password entry. There it addresses the "expired password on creation" issue this way:
Soooo... If you set a zero it makes it a -1.
The authors of the program have coded specifically against setting the aging to 0 so it won't matter if you set it to 0 in the /etc/default/useradd parameter for EXPIRE. (If it was me doing that code I would have looked to see if the user was setting the password in the command and then allowing the expire, but it wasn't me...)
Also, it was suggested above that you could place a script into /usr/local/sbin/adduser.local to do a 'chage' command. This was good advice for a Debian/Ubuntu system where useradd is a perl script which does indeed run that file if it finds it, but on RHEL the useradd command is a C binary.
If I was you and I was determined to get that behavior on the RHEL6 useradd I'd get the SRPM for the shadow package, comment out those lines above and do an rpmbuild on the package and rockaway. Winning!