Quote:
Originally Posted by
kwliew999
[...]by running the command pwdadm -c user, the ADMCHG flags will be removed from /etc/security/passwd file. But in the first place, why it doesn't remove the flags after root id has changed the password? Why we need to run this command of pwdadm -c to remove the flag ADMCHG manually?[...]
This is less a question of whether it would be technically possible but more a question of privacy. Depending on where you where brought up this might not be so obvious but where I live users prefer root not knowing their personal passwords. So while root can get around this little hurdle by removing the ADMCHG flag it is not the default. It has to be done intentionally which makes a difference from the legal perspective.
The ADMCHG flag is set if root changes another user's password. If that user changes his/her password (at first login) the ADMCHG flag is removed and the password is valid until it expires for some defined reason.
If you don't want a password to expire after a defined time set the maxage parameter to "0" in the user's settings. However, keeping a password forever is considered a security risk in certain environments.
From a mere technical point of view you could write a script to change password and run pwdadm in one step though.