A collection of task oriented solutions in Puppet

 

Expire user passwords

Challenge

You want to expire your users passwords

Solution

Use the password_max_age attribute on the user resource

class password_expiry {

  user { 'fusco':
    ensure           => 'present',
    # note the single quotes to stop $ expanding
    password         => '$6$LD5..snip...gNY1',
    password_max_age => 30,
  }

}
$ chage -l fusco

Last password change: Mar 10, 2018
Password expires:     Apr 09, 2018

Explanation

Having a password is excellent, having a password and changing it every now and again is even better. By adding the password_max_age, with the value given in days, to your puppet user resources you can require your users to change their passwords on a periodic basis.

Once you have created a user with an explicit password expiry you can view the settings using chage on the command line:

$ chage -l fusco

Last password change: Mar 10, 2018
Password expires:     Apr 09, 2018

If you are using a very modern version of puppet, 5.4 or above, you can add the password_warn_days attribute to manage how much notice a user will have before their password expires. This is visible during the login process:

$ ssh machine -l fusco

fusco@machine password:
Warning: your password will expire in 3 days

See also