Why does a passwordless account expire in PAM?

Question

We have setup our account policies in PAM to follow the RHEL7 STIG guidelines http://rhel7stig.readthedocs.io/en/latest/. We do have some service accounts where their passwords are empty and use SSH keys to login. After the 60 days the service accounts password expire and get disabled. This is not the behavior I was expecting for a passwordless account, I did not think the password expiration would have applied to passwordless accounts. How do I tell PAM not to expire passwordless accounts?

In login.defs

PASS_MIN_DAYS     1
PASS_MAX_DAYS     60
PASS_WARN_AGE     7
FAIL_DELAY        4

In /etc/default/useradd

INACTIVE=0

Answer 1

Looks like I need to create these accounts as system accounts. From the useradd man page...

System users will be created with no aging information in /etc/shadow - https://linux.die.net/man/8/useradd

Example command.

useradd testuser --system

If you're using Ansible you can specify system in the user module.

- user:
    name: testuser
    group: testuser
    system: yes

The result is visible in /etc/shadow. Notice no password max age entry for the testuser.

[root@localhost ~]# useradd testuser --system
[root@localhost ~]# grep testuser /etc/shadow
testuser:!!:17417::::::

[root@localhost ~]# grep ryan /etc/shadow
ryan:*:18976:1:60:7:0::

Answer 2

Since the system doesn't care if these accounts have a password or not. You'll have to set PASS_MAX_DAYS to 99999 or what ever seem appropriate for these accounts.

Answer 3

PAM solution offers a secure, streamlined way to authorize and monitor all privileged users for all relevant systems.

IT teams commonly share root, Windows Administrator, and many other privileged credentials for convenience so workloads and duties can be seamlessly shared as needed. Now, with multiple people sharing the same account password, creates security, auditability, and compliance issues. Privileged accounts and credentials may be managed differently across various organizational silos, leading to inconsistent enforcement of best practices. Applications and service accounts frequently possess excessive privileged access rights by default, and also suffer from other serious security deficiencies.

• The solution can be: "UsePAM no"
• The solution can be: Set the users password to never expire
• You might not want to change your PAM or sshd_config for compliance reasons.
• You might be using PasswordAuthentication no in sshd_config
• You might have randomized passwords.
• You might even have implemented CIS compliance.

Still if your users get the prompt, then root can tweak the password changed date:

for user in `grep ":x:[0-9]\{4\}" /etc/passwd|cut -d: -f1`; do chage -d today $user;

Attaching a few references:

• https://access.redhat.com/solutions/5447861
• https://documentation.suse.com/sles/15-SP2/html/SLES-all/sec-sec-user-management.html

Final Thoughts:

I believe that we need to keep our accounts authenticated to avoid any 3rd party or other irrelevant users accessing our data & information for the reason, that we may have confidential data that we may want to protect from diverse eyes that are on the web.

Also, you may take a look at this answer, if you need an another perspective of my answer (https://stackoverflow.com/a/46120833/18154805)