Ask Your Question

Forcing user to change his unix login password

asked 2016-03-17 03:22:34 -0600

queszama gravatar image

I am using `users' resource to create unix accounts and then set a default password. For this I have written the following manifest .

 node '','' {
  user {
             ensure  => 'present',
             managehome => 'true',
             comment => 'man Home',
             home    => '/home/askar',
             shell   => '/bin/bash',
             expiry  => '2016-03-22',
             password => '$1$cs1j/t.D$4Q2Ocr0pulyNTUx/',
             password_min_age => '30',
             password_max_age => '60',

It works fine, but I want the user should be forced to change his password at next login. For this I extended the rule with an exec resource to run the following command chage -d 0 askar so that the user is forced to change the password

      exec {
              command => 'chage -d 0 askar'

But this is not working for me. Can you please suggest how can I get a user forced to change his password at next login .

edit retag flag offensive close merge delete


Does puppet throw an error? Does it say it's running it but you see no change on the system? Just saying "this is not working" doesn't give us any info on why.

lavaman gravatar imagelavaman ( 2016-03-17 13:27:45 -0600 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2016-03-18 02:13:51 -0600

updated 2016-03-18 02:15:03 -0600

This isn't going to work for a few reasons, not all of which I will go into.

The main problem is, if you declare a password for the user 'askar', and then expect that user to manually change it as a result of the Exec you have declared, Puppet will change it back again on its next run to whatever you have in password => '$1$cs1j/t.D$4Q2Ocr0pulyNTUx/'.

You could perhaps have the user generate an encrypted password by following a procedure like this.

However, I think this is the wrong approach. I do not consider a user's password to be "configuration"; rather it is server "data", and since Puppet is a configuration management tool, a user's password does not belong in Puppet.

If you're not using or planning to use LDAP to manage your users, I would personally use Mcollective, or even an Ansible playbook, outside of Puppet, to set the initial passwords and run chage.

edit flag offensive delete link more


Setting path variable just before command under exec section , did the work for me . path => '/usr/bin/',

queszama gravatar imagequeszama ( 2016-03-26 22:20:32 -0600 )edit

Any pointers for mcollective to start with

queszama gravatar imagequeszama ( 2016-03-28 05:21:12 -0600 )edit

You should note carefully what I have said in my answer, because although path may have made the code appear to work, it still won't really work for all the reasons I mentioned, and other reasons I didn't mention. As for Mcollective, best thing is to play with it, ask questions if you're stuck.

Alex Harvey gravatar imageAlex Harvey ( 2016-03-28 05:40:33 -0600 )edit

answered 2018-08-22 05:10:08 -0600

Pankaj Shukla gravatar image

class user_add {

user { 'pankaj': ensure => 'present', comment => 'Ops Users', password_max_age => '99999', password_min_age => '0', shell => '/bin/bash', } }

class user_add_with_fore_password_change inherits user_add {

    exec { 'echo "pankaj:password1" | /usr/sbin/chpasswd':
    path => '/usr/bin'

    exec { 'chage -d 0 pankaj':
    path => '/usr/bin'

} include user_add_with_fore_password_change

use above OR below :

user { 'pankaj': ensure => 'present', comment => 'Ops Users', password_max_age => '99999', password_min_age => '0', shell => '/bin/bash', }

exec { 'echo "pankaj:password1" | /usr/sbin/chpasswd': path => '/usr/bin' } exec { 'chage -d 0 pankaj': path => '/usr/bin' }

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-03-17 03:22:34 -0600

Seen: 963 times

Last updated: Mar 18 '16