Hi all,
Anyway to reset the passwd expiring time without user having to reset it themselve? Beside altering the maximum number of days the password is valid in the shadow file, is there any other ways?
Reason, user forgot passwd and the account passwd cannot be reset, same passwd is need for existing application to login. Due to security audit reason, there is no way I can extend the max number of days the passwd expire.
Thanks
the real issue you need to resolve is you have to completely incompatible requirements. 1. you can't change the password ever, if I read your statement correctly. 2. for security reasons you are required to change the password often.
You need to come to an agreement, one way or the other first. Applications are capable of having a file that's not readable by everyone that has your encrypted password, so anytime it's changed you put the updated encryted password there.
It's also possible to lock the userid in shadow, so you can't login directly, but need to use "su - ID" to become that user, better yet, use a tool like sudo.
I suggest disabling the password altogether (Like NP in the shadow file or something). And then when there is no password, the password expiry field becomes meaningless.
Manage logging in with ssh keys if its possible. Talk to the security guys and come up with something thats acceptable to everyone. In solaris if your password expires then cron will stop functioning for that user, so its not really practical to have password expiry on an application account people rarely log into and dont have an enforced process of manual password resetting.
Btw what is the solaris version?