Second topic . . . See the discussion in the Center for Internet Security Red Hat Linux Benchmark (http://cisecurity.org): 8.3 Set Account Expiration Parameters On Active Accounts Action: cd /etc awk '($1 ~ /^PASS_MAX_DAYS/) { $2="90" } ($1 ~ /^PASS_MIN_DAYS/) { $2="7" } ($1 ~ /^PASS_WARN_AGE/) { $2="28" } ($1 ~ /^PASS_MIN_LEN/) { $2="6" } { print } ' login.defs-preCIS > login.defs chown root:root login.defs chmod 640 login.defs diff login.defs-preCIS login.defs useradd -D -f 7 diff /etc/default/useradd-preCIS /etc/default/useradd for NAME in `cut -d: -f1 /etc/passwd`; do uid=`id -u $NAME` if [ $uid -ge 500 -a $uid != 65534 ]; then chage -m 7 -M 90 -W 28 -I 7 $NAME fi done diff shadow-preCIS shadow Discussion: It is a good idea to force users to change passwords on a regular basis. The commands above will set all active accounts (except system accounts) to force password changes every 90 days (-M 90), and then prevent password changes for seven days (-m 7) thereafter. Users will begin receiving warnings 28 days (-W 28) before their password expires. Once the password expired, the account will be locked out after 7 days (-I 7). Finally, the instructions above set a minimum password length of 6 characters. These are recommended starting values. Some regulated industries require more restrictive values – ensure they comply with your Enterprise security policy. George Toft, CISSP, MSIS 623-203-1760 Jeremy C. Reed wrote: > Two topics here ... > > Anyone know of a ready-to-use script/tool to generate password and reset > password and mail it? > > I could write a script that does the following ... generate a password > with apg, shuffle, or Crypt::RandPasswd perl module; then encrypt it (if > needed); use usermod to set it; and then PGP/GPG-encrypt a message and > email that. (This is to be automated every couple weeks or once a mont via > cron.) > > I was wondering if something already exists before I do this myself. (This > is on a RHEL clone, but that doesn't matter.) > > Second topic: > > Anyone use shadow(5) fields (such as with passwd(1) or chage(1)) for last > password change, days until change allowed, days before change required, > days warning for expiration, days before account inactive, and/or date > when account expires? If so, do you want to share any examples? > > Thanks, > > > Jeremy C. Reed > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss