On Fri, June 17, 2016 12:31, Valeri Galtsev wrote:
On Fri, June 17, 2016 10:19 am, James B. Byrne wrote:
Keys issued to individuals certainly should have short time limits on them. In the same way that user accounts on systems should always have a near term expiry date set. People are careless. And their motivations are subject to change.
James, though in general one is likely to agree with this, I still consider the conclusion I came to after discussions more than decade ago valid for myself. Namely: forcing everyone to change password often pisses careful people off for nothing. Passwords they create and carefully keep can stand for decades, and only can be compromised on some compromised machine.
But I never mentioned anything about passwords. I quite agree with you with respect to avoiding needless password churn. What I wrote was specifically user accounts and their expiry dates. These should be short. Say six to twelve months or so. When the account expires then it can be renewed for another six or 12 months. The password for it is not changed.
One can always write a script to automatically search for and report pending expirations. There is no real need for accounts to actually expire. But, even if accounts do expire for active users then it is not much of a hardship to report the fact and to have them reactivated. On the other hand, disused accounts never get reported and remain deactivated.
Also, when a person leaves our employ and somehow the cancellation of all or some their accounts gets overlooked in the out-processing then shortly their accounts will be deactivated automatically. A fail safe mechanism.
On Fri, June 17, 2016 11:50 am, James B. Byrne wrote:
On Fri, June 17, 2016 12:31, Valeri Galtsev wrote:
On Fri, June 17, 2016 10:19 am, James B. Byrne wrote:
Keys issued to individuals certainly should have short time limits on them. In the same way that user accounts on systems should always have a near term expiry date set. People are careless. And their motivations are subject to change.
James, though in general one is likely to agree with this, I still consider the conclusion I came to after discussions more than decade ago valid for myself. Namely: forcing everyone to change password often pisses careful people off for nothing. Passwords they create and carefully keep can stand for decades, and only can be compromised on some compromised machine.
But I never mentioned anything about passwords. I quite agree with you with respect to avoiding needless password churn. What I wrote was specifically user accounts and their expiry dates. These should be short. Say six to twelve months or so. When the account expires then it can be renewed for another six or 12 months. The password for it is not changed.
We do not expire accounts until the person leaves the Department and grace period passes. Then we do lock account and after some time person's files are being deleted. This is the policy, and this is what we do. The only time when account expiration is being set is for undergraduate students who temporarily work with some professor. For them expiration is being changed when the continue to work with the professor next academic year.
Is this not what everybody does?
Valeri
One can always write a script to automatically search for and report pending expirations. There is no real need for accounts to actually expire. But, even if accounts do expire for active users then it is not much of a hardship to report the fact and to have them reactivated. On the other hand, disused accounts never get reported and remain deactivated.
Also, when a person leaves our employ and somehow the cancellation of all or some their accounts gets overlooked in the out-processing then shortly their accounts will be deactivated automatically. A fail safe mechanism.
-- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
-
James B. Byrne -
Valeri Galtsev