I use the initialPassword option, with mutable users enabled.
I think it would be better if I could just require users to set their password on 1st use, so initial onboarding is easier. Would that be possible with NixOS? How?
1 Like
Maybe with some crazy pam magic, but I don’t think there are off-the-shelf solutions. Display managers don’t implement password change prompts, nor does the tty login, so a user must be logged in to change their password.
Best you can do is set the expiry date to the past, which will lock the account until an administrator sets a new password AIUI.
This is not true.
Just try:
sudo passwd --expire other-user
The next time that user does log in in GDM, after writing their old password, GDM will ask them to change it.
1 Like
Oh, neat, that is super cool! I had never seen that when implementing lightdm greeters, sorry for the misinformation.
1 Like
I tested this but it doesn’t provide the UX I’m looking for.
The point is I’d like to send laptops to newcomers with a standard password, and force/help them to change it on 1st login.
With this, the account is expired, not the password. Thus there’s a message in GDM that tells you to ask the administrator.
I guess NixOS is lacking this feature for now…
It’s worth noting that NixOS is just a thin abstraction layer over the base OS. If you can figure out how to declaratively expire a user such that you get the described behavior from gdm, implementing it with NixOS is possible.
So the question is, what’s the difference between the way you set the past expiration date in this experiment and passwd --expire.
You could also set up a systemd unit with wantedBy on the special first boot unit that expires the user with passwd. Refer to the systemd docs on how to make that work.
1 Like