When I create a new user account I ask users to send me a public key, and want to force users to set the password the first time they log in with keypair authentication. If I create an account with an impossible/disabled and expired password, but put a pubkey in their .ssh/authorized_keys file, the user is required to change his password at first login, but cannot enter his current one!
# adduser --disabled-password foo
…
# chage -d0 foo
What is a more appropriate way to go about this?
Best Answer
You could
nullok
ornullok_secure
is not in use in arguments ofpam_unix
forauth
in the pam configuration for any service.passwd -d foo
chage -d0 foo
That seems to do the trick here (debian wheezy).