You want to expire your users passwords
Use the password_max_age attribute on the user resource
class password_expiry {
user { 'fusco':
ensure => 'present',
# note the single quotes to stop $ expanding
password => '$6$LD5..snip...gNY1',
password_max_age => 30,
}
}
$ chage -l fusco
Last password change: Mar 10, 2018
Password expires: Apr 09, 2018
Having a password is excellent, having a password and changing it every
now and again is even better. By adding the password_max_age, with the
value given in days, to your puppet user resources you can require your
users to change their passwords on a periodic basis.
Once you have created a user with an explicit password expiry you can view the
settings using chage on the command line:
$ chage -l fusco
Last password change: Mar 10, 2018
Password expires: Apr 09, 2018
If you are using a very modern version of puppet, 5.4 or above, you can add
the password_warn_days attribute to manage how much notice a user will have
before their password expires. This is visible during the login process:
$ ssh machine -l fusco
fusco@machine password:
Warning: your password will expire in 3 days