How to prevent users from extending their window of valid login

born to hula asked:

Been working on some security hardening procedures for a RedHat box, and I wanted to know if would be possible to prevent a user from changing his password, once it’s expired.

For one of our clients the requirement is that they must only have access to the server through temporary accounts, meaning that once the user credentials are created, password must expire within 4 hours, and once password expires, only root should be able to change it.

For the first requirement (passwords expiring after 4 hours), I guess it could be achieved by setting passwordMaxAge = 144000. But I still couldn’t find a way of preventing the users of changing expired passwords, without turning off password expiration.

Can anyone help?

My answer:

Generally, password expiration is used to force users to change their passwords. What it sounds like you want to do is to lock the account, which prevents all login.

What I would suggest you do instead is, when you create the account, also set up an at job which will lock the account after four hours.

For example:

useradd temp8143
echo chage -E 0 temp8143 | at now + 4 hours

(chage -E expects expiration dates to be given in days, so we work around this with an at job.)

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.