Forcing Password Change

[Anthony Plastino]

Hi all,

I can't seem to search the archives (for a while) and have looked through
several months of posts in those archives I _can_ get access to and I
haven't seen a mention of forcing password changes.  Nor is there any sort
of reference in the manual or any other documentation I can get my hands on.

I have a client that needs to be able to force users to change their
password at regular intervals.  In a pure NT or Pure *nix environment this
is possible.  However, it seems to be impossible in their  current
situation:

'98 workstations, samba is quasi domain controller and WINS server, NIS used
in part of the network and a separate system (non NIS) for
SMTP/POP3/calendaring and a CVS server (zero NT !!  :)  ).

When users are added into the system they get assigned a password by a
sysadmin. There are four distinct login IDs per user (POP3, NIS, samba, CVS)
as well as the Windows password.  To date, there is no way to allow for
non-repudiation, and that is a serious problem from my point of view--at
least one other person in the client's company knows anyone's password and
can masquerade as that user.

Simply trusting that a user will change their password is not enough, they
won't unless they are forced to.

I believe that I have a mechanism (set of scripts + SSH) that will interact
with samba to synchronize all of the systems when a user makes the change
from her control panel ( the reasons for not moving completely to NIS or
LDAP
are numerous).

Can someone point me to a source for forcing these users to change their
passwords?  How about adding an "acceptable use" banner to the login screen?
Forcing "good" (also read strong) password construction?

I wish that there was a viable alternative to windows, and having these
particular tools at hand would be most beneficial.

Thanks in advance,

Tony Plastino
anthonyp at esociety.com

=====================================
A. R. Plastino III
Network and Systems Security Engineer
eSociety
http://www.eSociety.com