You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: roles/os_hardening/README.md
+12Lines changed: 12 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -94,6 +94,18 @@ We are setting this sysctl to a default of `32`, some systems only support small
94
94
vm.mmap_rnd_bits: 16
95
95
```
96
96
97
+
### password expiry and SSH key based logins
98
+
99
+
With default PAM configuration setting a password expiry for users will also block SSH key logins after the password has expired.
100
+
We have added a flag for PAM to ignore the expiry if SSH keys or other login mechanisms are used.
101
+
If you choose to use your own PAM configuration please adjust it accordingly to contain `no_pass_expiry` in the `account` stage for the `pam_unix.so` module.
102
+
103
+
A valid example would look like this:
104
+
105
+
```text
106
+
account required pam_unix.so no_pass_expiry
107
+
```
108
+
97
109
## Testing with inspec
98
110
99
111
If you're using inspec to test your machines after applying this role, please make sure to add the connecting user to the `os_ignore_users`-variable.
0 commit comments