Temporary Passwords - Time Limit To Use?

Latest response

Hi,

If a user requests a password reset, is there a time limit in which they should use and then get prompted to reset to one they set?

Regards,

Tim

Responses

Hi Tim, and welcome.

This generally is (or ought to be) set by each company/organization. Some organizations go with a 60-day password life and the password expires (for example). This link on setting default password aging is from 2012, yet it is still relevant. It merely speaks of the two values within /etc/login.defs named PASS_MAX_DAYS xx and PASS_WARN_AGE x

You could probably could set a password for someone, by using the chage or passwd command and force the password to expire from command line, requiring them to change it upon the next login. Please evaluate that.

Evaluate what you want if you are part of a company and come up with a policy that your security office (or owner) would agree to as part of overall security policy. If it's just for yourself, 60 days might be good.

Regards,
RJ

I added a link to the original reply. Let us know if that works, and see the password aging link as well.

Regards,
RJ

Sorry I meant resetting via IDM. So if I reset a users password in the IDM gui and send them the temporary password I have chosen. Then when they log in and use that they are prompted to set to something only they know. My question is the delay between setting the temp password and the user eventually getting around to logging in with it. Is there a way of setting a max time in which the temp password is valid until it would have to be reset again for them to use?

Hope this is clearer...

Regards,

Tim

Hi Tim,

Yup, that's good context to know, thanks. I looked at the current guide and could not find anything for setting someone's temp password to expire, but that's of course a fantastic idea. While I didn't see anything there, I'd recommend opening a case with that requirement asking Red Hat (in a case) along with this current discussion to see if there's a work-around to achieve that good goal.

Sorry I couldn't find anything further. I'll ask my other Red Hat Accelerators if they know of anything (we do not work for Red Hat, but are part of a group Red Hat has called Accelerators).

Regards
RJ

Tim,

In the absence of an immediate method for this, perhaps 1) submit a case with Red Hat asking them this question directly and 2) as an ugly work around, run a command on the IDM server that will expire their password chained to a sleep statement sleep 1800;force_expire_password_command

I'm checking with some others on a specific command to force that. I'd still recommend putting in a case with Red Hat regarding this. I'll update this post later if I find that command I psudo-commanded above.

update/added Evaluate if the method at this external link works.

Regards,
RJ

Hi RJ,

I did raise a case in relation to this...but Redhat don't seem interested in doing anything.

Their response:

'Thank you for contacting Red Hat Technical Support. My name is Kushal Ludhwani & I shall be assisting you with this service request.

It is not possible to have temporary password validity, However we configure IPA to do not force user to change password as next login if password is reset by IPA admin.'

Regards,

Tim

Hi Tim,

I suspected there was not such a feature yet. I'd recommend 2 things: 1) ask them to make a feature request out of your case and 2) consider if the method here at this external link will help you or not. Alternatively, there is a Red Hat Ask Me Anything (not hosted by me, and I'm not a Red Hat employee) event coming where I can see if we can get this question posed. Namely, I'm thinking of a work-around.

Regards,
RJ

Tim,

I'm thinking there has to be a command line method to lock an account in IDM. So something like

[root@youridmserver ~] # sleep 1800 ; LOCK-COMMAND-GOES-HERE

That would give them one half an hour to take care of password business. Adjust as necessary

Regards,
RJ