Is there a way to prevent password expiration when user has no password?
Solution 1:
If users aren't remembering their passwords, it's certainly because they don't have to use them. I would recommend using a centralized authentication system such as LDAP, so that each user has just one password that gives him access to everything.
This solves several problems in one:
- You don't have to worry about managing individual passwords on each host
- Users will actually remember their passwords because they need them
- You can manage password policy in one central place (the LDAP directory) and get users to change the password there, when needed (think of an email warning them about the expiration a few days before, etc...)
- You have centralized user management, saving everyone time when a new account needs creating, or an old one needs disabling (who's never heard "disable that user's account ASAP on all systems"?)
Solution 2:
According to this answer on SU, the user should still be able to login with their private key even if their password has expired.
I think the "key" is the user does have a password to expire. A private key is just another way for them to login. I believe that unless you disable password based logins (setting is PasswordAuthentication
in sshd_config), the user can still login with their password.
There is another setting in sshd_config called PermitEmptyPasswords
, which the default is "no". If you remove the user's password the only way to login should be with their private key. Since at that point there isn't a password, perhaps it won't expire.
This is just based on the ssh though. There are other areas to look at, such as console and su. I'm not sure how they handle empty passwords.
As a last resort you could always put a bash script on a cron to check which users have keys and set their expiration date accordingly. I would also do the reverse: If a user doesn't have a key make sure their expiration date isn't too far away.
Personally I would make everyone user public/private key pairs.
Solution 3:
So you can query the info via
chage -l username
And you can override the system wide default with the following
chage -I -1 -m 0 -M 99999 -E -1 username
I don't think there is anything you can set that says.. a user has no password so ignore it.