PAM expiring users

[klizhentas]

What

When our PAM module creates users, let's make the user entry last for a duration of the session. We can achieve that by specifying useradd -r ttl. Props to @jon-can for the idea. This aligns really well with the notion of expiring certificates we are using.

https://goteleport.com/docs/server-access/guides/ssh-pam/#examples

While we are on it, can we improve UX by adding this script to our auto install:

https://goteleport.com/docs/server-access/guides/ssh-pam/#examples

Are there any downsides to make this automatic and work all the time when PAM is enabled?

[russjones]

I think we can use userdel here and just have it run in the session stack for PAM. If someone is still logged in, userdel will fail, but after last logout, it will succeed. You can tell userdel to not remove home directories as well, it just just update the user database.

Someone does need to verify this.