It's pretty simple. I would like to figure out what combination of changes in /etc/login.defs and/or /etc/pam.d/system-auth-ac I would need to perform to allow the following behavior:
I want a user's password to be valid for 60 days.
After 60 days, the system needs to yell at the user when they log in, telling them they need to change their password ASAP.
The system must not impede the user's access to the system.
This must apply to existing users (non-system accounts, UID >=500) as well as any newly-created users.
Rationale: Limited users will not be managing the system account passwords, only system admin(s). Therefore, users should not have their access to the system impeded because the admin missed a password change. The number of accounts is rather small (maybe 9 or 10), but we're all human and we forget to do stuff from time to time.
I'm not sure if login.defs or PAM offer this. The documentation leads me to believe that you can either have the system force the user to change their password when it expires, or you can have the password not age at all. A third option is to have the password age limit set to some huge amount, like 9,999 days, and then start warning the user that their password will expire in 9,936 days, but that's not really what I need either. I've done other kinds of PAM configuration, so it's not my first trip around the block. I'm just stuck on this problem.
So, can this be done with PAM/login.defs, or do I need another utility that can take their place?
Aucun commentaire:
Enregistrer un commentaire