We have setup our account policies in PAM to follow the RHEL7 STIG guidelines http://rhel7stig.readthedocs.io/en/latest/. We do have some service accounts where their passwords are empty and use SSH keys to login. After the 60 days the service accounts password expire and get disabled. This is not the behavior I was expecting for a passwordless account, I did not think the password expiration would have applied to passwordless accounts. How do I tell PAM not to expire passwordless accounts?
In login.defs
PASS_MIN_DAYS 1
PASS_MAX_DAYS 60
PASS_WARN_AGE 7
FAIL_DELAY 4
In /etc/default/useradd
INACTIVE=0
Looks like I need to create these accounts as system accounts. From the useradd man page...
System users will be created with no aging information in /etc/shadow - https://linux.die.net/man/8/useradd
Example command.
useradd testuser --system
If you're using Ansible you can specify system in the user module.
- user:
name: testuser
group: testuser
system: yes
The result is visible in /etc/shadow. Notice no password max age entry for the testuser.
[root@localhost ~]# useradd testuser --system
[root@localhost ~]# grep testuser /etc/shadow
testuser:!!:17417::::::
[root@localhost ~]# grep ryan /etc/shadow
ryan:*:18976:1:60:7:0::