topic Re: password expiry on linux box in Operating System - Linux

password expiry on linux box

monu_1 — Tue, 29 Jun 2010 16:22:31 GMT

Hi Guru,

In my linux box, there is a normal user (let say xyz). This user password is subject to password controls (expires after configured number of days).

We used to scp login in this box as xyz user (a script which is hardcoded xyz user and its password) and collect few data from remote end.

Problem: Let say passowrd has been expired and obivously login as xyz user would failed after that and we couldn't fetch the data from this box remotly.

Question: What are the appropriate mechanism to acheive the data without affecting password exipry limitation?

Thanking you!

Re: password expiry on linux box

Steven E. Protter — Tue, 29 Jun 2010 18:50:08 GMT

Shalom,

If the password expires, the scp transfer will stop. No way around that other than to insure the password does not expire.

The passwd command on Linux lets you set the expiration time as long as you want. If this user is not one that normally logs on the system, you can safely extend the expiration.

Be prepared to explain this to any security auditors that happen to notice it.

SEP

Re: password expiry on linux box

Jared Middleton — Tue, 29 Jun 2010 22:28:00 GMT

I find it best to separate accounts used primarily for interactive user login from those used primarily for batch/cron type access.

For the latter, cron jobs would also fail if the account password "expires". So, I generally set password expiration to Never, but also disable interactive password login. Then, sudo is configured for local "sudo -u USERID COMMAND" access only.

If you're using SSH (and it sounds like you are with scp), you could setup a passwordless public/private key relationship between the source and target hosts that would not be affected by password expiration.

Re: password expiry on linux box

dirk dierickx — Thu, 01 Jul 2010 10:58:41 GMT

like above, i suggest to use passwordless login using a published key. i don't know who or how your script is used, but hardcoding passwords all over the place is a pita.

Re: password expiry on linux box

Donny Jekels — Mon, 19 Jul 2010 03:06:00 GMT

make the user account not to expire ever.

Re: password expiry on linux box

monu_1 — Sun, 29 Aug 2010 08:53:13 GMT

Thanks all for support. I will go with Steve.

Disbaled password expiry for normal user in the box at the time of start-up level.

chage -M -1

BR,

MKS

Re: password expiry on linux box

Tim Nelson — Mon, 30 Aug 2010 18:11:59 GMT

FYI,

you only need to execute the chage command once. ( no need to include in a boot script )

in an effort to maintain some additional security why not set up ssh keys, restrict this account to sftp only and use a batch file that does not include a visable password.