Is there a way to prevent password expiration when user has no password?

security centos redhat password-management shadow

Solution 1:

If users aren't remembering their passwords, it's certainly because they don't have to use them. I would recommend using a centralized authentication system such as LDAP, so that each user has just one password that gives him access to everything.

This solves several problems in one:

  • You don't have to worry about managing individual passwords on each host
  • Users will actually remember their passwords because they need them
  • You can manage password policy in one central place (the LDAP directory) and get users to change the password there, when needed (think of an email warning them about the expiration a few days before, etc...)
  • You have centralized user management, saving everyone time when a new account needs creating, or an old one needs disabling (who's never heard "disable that user's account ASAP on all systems"?)

Solution 2:

According to this answer on SU, the user should still be able to login with their private key even if their password has expired.

I think the "key" is the user does have a password to expire. A private key is just another way for them to login. I believe that unless you disable password based logins (setting is PasswordAuthentication in sshd_config), the user can still login with their password.

There is another setting in sshd_config called PermitEmptyPasswords, which the default is "no". If you remove the user's password the only way to login should be with their private key. Since at that point there isn't a password, perhaps it won't expire.

This is just based on the ssh though. There are other areas to look at, such as console and su. I'm not sure how they handle empty passwords.

As a last resort you could always put a bash script on a cron to check which users have keys and set their expiration date accordingly. I would also do the reverse: If a user doesn't have a key make sure their expiration date isn't too far away.

Personally I would make everyone user public/private key pairs.

Solution 3:

So you can query the info via

chage -l username

And you can override the system wide default with the following

chage -I -1 -m 0 -M 99999 -E -1 username

I don't think there is anything you can set that says.. a user has no password so ignore it.

Related

Is it possible to preload a user profile from a domain on a workstation that will be disconnected from the DC?
Windows 8 virtualization gives BSOD 0x0000005D
In Linux, does using route to blackhole an IP result in better performance than dropping in iptables? [duplicate]
Secure copy uucp style
Nagios3: Conditional operators for service checks?
How to create hash or yml from top level attributes values of node?
Store and forward mail but change FROM header in forwarded mail
switchless Infiniband between two servers on RHEL 6.3
How to check that all ZFS snapshots within a pool are without holds before destroying that pool
FreeNAS: Renaming a zpool
mongoexport csv output array values
Identify which process is responsible for heavy disk i/o under FreeBSD