On SPARC Solaris 10. I set the app account so it's expired. I also want it
so not required to change password at first login, I can do this by
removing the numbers after the password in /etc/shadow.
example using user1
The /etc/shadow file looks like this:
user1:kOmcVXAImRTAY:0::::90::
Want it to be like this:
user1:kOmcVXAImRTAY:::::::
How can I do that via a script? I want to do it on multiple servers, hence the script.
I do that, but then when the app tries to ssh to this app account, they are required to change password at first login.
I don't want that. When I remove everything between the : after the password, then the pw doesn't need to be changed anymore either.
Getting rid of the User ID (the value between the 2nd and 3rd <colon>s) and Group ID (between the 3rd and 4th <colon>s) is a VERY BAD idea. It will either make it impossible for any of the users whose entries you changed to login or it will give all of them root access!
First I used passmass to reset the application account (ex app1) password back to what it originally was on multiple servers.
Then via a script I did this on multiple servers:
# Turn off password aging (so pw won't expire)
passwd -x -1 app1
# Set app account so not required to change password at first login
passwd -u app1
That results in this:
app1:LgqREiwpnwoJk:15569::::90::
Then I got rid of the 90 using the rest of the script, it looks like this
app1:LgqREiwpnwoJk:15569::::::
Now it works the way it should.
Note:
15569/field 3 is
Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
I no longer care about it but left it there.
field 4 is Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password