How to prevent users from extending their window of valid login

security redhat pam hardening

Generally, password expiration is used to force users to change their passwords. What it sounds like you want to do is to lock the account, which prevents all login.

What I would suggest you do instead is, when you create the account, also set up an at job which will lock the account after four hours.

For example:

useradd temp8143
echo chage -E 0 temp8143 | at now + 4 hours

(chage -E expects expiration dates to be given in days, so we work around this with an at job.)


If you remove the setuid bit from the passwd command, only root will be able to use it. This will also disable the users from changing the password before it expires - which could otherwise be a way for the users to extend the account for another four hours.

[jenny@finch ~] sudo chmod -s /usr/bin/passwd
[jenny@finch ~]$ passwd
Changing password for user jenny.
Changing password for jenny.
(current) UNIX password: 
New password: 
Retype new password: 
passwd: Authentication token manipulation error

Root is still able to change any password:

[jenny@finch ~]$ sudo passwd jenny
Changing password for user jenny.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Related

Using a custom Tee command for .bat file
How can I take a larger screenshot on my iPhone?
Is it safe to use my US iPhone/iPad charger with a simple European plug adapter?
Schedule text message on iPhone
Can't disable "Press the Option key five times to turn Mouse Keys on and off"
Mountain Lion: how to change webcam resolution
Repeated pop-ups 'Safari wants to use the "login" keychain'
Is it possible to mount a DVD iso to look like it's a DVD drive?
Export podcast subscriptions from iOS podcast app as OPML
iOS 7: How to turn off camera's burst mode?
How to resize a photo in TextEdit? [closed]
Following Mavericks upgrade, Microsoft Word closes silently right after opening