On OpenBSD 5.6 I need to provision a number of user accounts with default passwords. I would like users, upon their first SSH login, to be forced to change their passwords from the default.
On CentOS and Debian I can do this using chage -d 0 $username
.
It appears from the login.conf manual that I should be able to accomplish the same thing on OpenBSD with something like:
usermod -f 1 $username
orusermod -f "Jan 1 2015" $username
Setting it that way does prompt the appropriate change in userinfo $username
, but logging in as $username via SSH does not actually enforce a password change - it opens the shell quite happily, oblivious to the password having been marked inactive above.
Some posts from 2000 talk through writing a wrapper login shell to force a password change. That said, given the obvious scaffolding in usermod
and chpass
, it seems that this is built-in, but not documented as widely as the Linux equivalents.
Can a BSD pro shed some light on the conventional approach to this?