Password aging for local accounts.

Support for security such as Firewalls and securing linux
Post Reply
jxfish2
Posts: 24
Joined: 2013/03/08 15:07:48

Password aging for local accounts.

Post by jxfish2 » 2020/09/25 20:02:22

To whom it may concern,

We are using single sign-on via Active Directory (AD).

AD has password aging set for each of those users and groups connecting to our Linux servers.

But, on a few of our servers, we have isolated local UserID's configured.

I know that I can set password aging for each of these specific accounts, individually.

But, our corporate security department wants to set password aging for ALL locally created users on our servers, via /etc/login.defs.

I need to know if we configure /etc/login.defs to handle password aging on the local servers, will that affect the users who login via Active Directory credential.

Will setting a servers default password aging parameters inside of /etc/login.defs interfere, or conflict with Active Directory?

As we may only have a few one-off local user accounts, I would almost prefer to set them manually, individually, per userID.

But, our security team is worried that we might miss something, if a new local userID is created, and we are not on top of it.

Again, would setting a servers default password aging via the /etc/login.defs file conflict or interfere with Active Directory users on our servers?

kdpatil
Posts: 42
Joined: 2020/10/20 07:19:31

Re: Password aging for local accounts.

Post by kdpatil » 2020/11/19 08:18:29

just my 2 cents..

if you decide to use the local account, then use ssh keys to login .. do not set passwd .. disable direct login to root & service account .. enable sudo & use syslog tools

as there is no passwd in this method , aging is out of question , u will need to do

chage -M -1 -m -1 -W -1 -E -1 <local-id>

also this is much more secure than passwd .. only thing is user need to set pass-phrase & secure private keys

Post Reply