Support expiration for local users

canonical / charm-local-users

A subordinate charm for creating and managing local user accounts and groups on principal units.

Apache License 2.0

0 stars 4 forks source link

Support expiration for local users #7

Open jneo8 opened 9 months ago

jneo8 commented 9 months ago

We are adopting local-users charm to provide access to Field eng to Bootstack clouds.

It would be nice if we can set an expiration on the accounts added by the charm.

This will require some design discussion on how to achieve this.

Imported from Launchpad using lp2gh.

date created: 2023-05-16T13:48:12Z
owner: peppepetra
assignee: None
the launchpad url

jneo8 commented 9 months ago

(by marcusboden) To add to this: It would be good to control the expiration in general. On systems following CIS password guidelines, the password expiry may already be set. This means that the local-users created accounts will stop working after a while.

Since the password is disabled anyway, it would be good to disable the password expiration by default or at least add a config option for it.

marcusboden commented 1 day ago

We recently had issues with this again. My idea would be:

Set this for all charm-managed users:
- no expiration (-1), min_days (0) or max_days (-1) for password change (equivalent to chage -I -1 -m 0 -M -1 $user
give a config option for user expiration (e.g. 1month):
- set's expiration date to 1 month from now
- default is none (never expires)
- add action to reset this expiration date to (optional username, otherwise for all)

@peppepetra, what do you think? (you originally opened this back on launchpad)