Password Aging
If passwords within an organization are created centrally by the administrator, adding new users to the organization means the administrators must configure the account so the user is asked to create a password when logging in for the first time.
To configure a user account in this manner, follow these steps:
Create the user account using the useradd command. — At this point the account is created, but locked.
Force immediate password expiration — To do this. type the following command:
chage -d 0
This sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
Unlock the account — There are two common approaches to this. The administrator can assign an initial password:
/usr/sbin/usermod -p "<password>"
In the above command, replace <password> with the initial password.
Or, the administrator can assign a null password:
/usr/sbin/usermod -p ""
Caution While using a null password is convenient for both the user and the administrator, there is a slight risk that a third party can log in first and access the system. To minimize this threat, it is recommended that administrators verify that user is ready to log in when they unlock the account.
In either case, upon initial log in, the user is prompted for a new password.