Is it possible with “chage” to configure a password caducity for, at most, 2 hours? I think “chage” only allows caducity for, at least, one day.
You’re pushing the limits of my memories of latin class, but if I understand what you’re asking, you want to set the expiration of a password to a specific hour, not day.
The password age, minimum age and maximum age fields in /etc/shadow are stored as an integer in days, so no, I don’t believe you can set it to a specific hour.
—
Jonathan Billings
chage apparently depends on the shadow file which is day-based. You might want to be more specific when you say “limit”, are you trying to force password changes every 2 hours or force logout every 2 hours or something else? The reason I ask is you’re probably into the “create your own method” arena where exactly what you’re trying to do may greatly influence the possibilities.
If you just want to create a really small window where SSH logins will succeed, you can instead use OpenSSH’s CA certificate signing of pubkeys method, with the signature expiring at the very second you want it to expire.
5 thoughts on - Limit User Password By Time
Hi,
You can try the ‘chage’ command.
Regards
Gestió Servidors schrieb am Do., 31. Okt. 2019,
13:17:
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS
Is it possible with “chage” to configure a password caducity for, at most, 2 hours? I think “chage” only allows caducity for, at least, one day.
You’re pushing the limits of my memories of latin class, but if I understand what you’re asking, you want to set the expiration of a password to a specific hour, not day.
The password age, minimum age and maximum age fields in /etc/shadow are stored as an integer in days, so no, I don’t believe you can set it to a specific hour.
—
Jonathan Billings
chage apparently depends on the shadow file which is day-based. You might want to be more specific when you say “limit”, are you trying to force password changes every 2 hours or force logout every 2 hours or something else? The reason I ask is you’re probably into the “create your own method” arena where exactly what you’re trying to do may greatly influence the possibilities.
If you just want to create a really small window where SSH logins will succeed, you can instead use OpenSSH’s CA certificate signing of pubkeys method, with the signature expiring at the very second you want it to expire.
Facebook engineering had a pretty good article about it recently:
https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/
—
Jonathan Billings