Change password expiry #949

defendable-binnver · 2025-06-03T10:16:27Z

defendable-binnver
Jun 3, 2025

Hello there!

After a while of using Authd with EntraID, the local passwords are forced to be changed. Due to possible password fatigue from this, we would like to extend the duration of local password.
I would assume this is possible, however I am unable to find any mention of such a feature in the documenation I have found.
Is this possible at all? If so, what did I miss?

Thank you in advance for any assistance!

adombeck · 2025-06-03T10:19:52Z

adombeck
Jun 3, 2025
Maintainer

After a while of using Authd with EntraID, the local passwords are forced to be changed.

That should not be the case. You're only asked to create a local password when you authenticate via device authentication again, instead of authenticating with the existing local password. You can also choose the same local password in that case.

7 replies

defendable-binnver Jun 3, 2025
Author

Thank you for your fast follow up again!
I did a test on another system, and it did happen again.

I reviewed the usual Authd logs and snap.auhd-entraid logs on the client side, with no trace of this happening.
Kernel logs and authentication logs did not tell me anything other than that a user logged in either.
I am therefore quite uncertain which log-files would be of interest here?

I checked /etc/secutiry/pwquality.conf and /etc/login.defs as well, and see no trace of any setting that would cause this.
As far as I know, we have not changed any defaults in any of these files either. Login.defs had PASS_MAX_DAYS 99999, and as far as I saw, there were no related setting option in pwquality, though every single line started with a # which I would assume means it is commented out.

adombeck Jun 3, 2025
Maintainer

I am therefore quite uncertain which log-files would be of interest here?

The authd and authd-msentraid logs. You can execute the command in the bug report template to get those logs.

every single line started with a # which I would assume means it is commented out.

yes, that means you're using the default settings.

adombeck Jun 3, 2025
Maintainer

You can execute the command in the bug report template to get those logs.

It would be best if you just file a GitHub issue with these logs.

adombeck Jun 3, 2025
Maintainer

Oh and execute sudo -v in the terminal before pasting the command from the bug report template, to avoid that it prompts for the sudo password with the prompt being hidden (#935).

defendable-binnver Jun 3, 2025
Author

Created a bug report now: #950

Thank you! :)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Change password expiry #949

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 7 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Change password expiry #949

Uh oh!

Uh oh!

defendable-binnver Jun 3, 2025

Replies: 1 comment · 7 replies

Uh oh!

adombeck Jun 3, 2025 Maintainer

Uh oh!

defendable-binnver Jun 3, 2025 Author

Uh oh!

adombeck Jun 3, 2025 Maintainer

Uh oh!

adombeck Jun 3, 2025 Maintainer

Uh oh!

adombeck Jun 3, 2025 Maintainer

Uh oh!

Uh oh!

defendable-binnver Jun 3, 2025 Author

defendable-binnver
Jun 3, 2025

Replies: 1 comment 7 replies

adombeck
Jun 3, 2025
Maintainer

defendable-binnver Jun 3, 2025
Author

adombeck Jun 3, 2025
Maintainer

adombeck Jun 3, 2025
Maintainer

adombeck Jun 3, 2025
Maintainer

defendable-binnver Jun 3, 2025
Author