[CentOS] [Fwd: Re: https and self signed]

Fri Jun 17 17:08:49 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Fri, June 17, 2016 11:50 am, James B. Byrne wrote:
> On Fri, June 17, 2016 12:31, Valeri Galtsev wrote:
>> On Fri, June 17, 2016 10:19 am, James B. Byrne wrote:
>>> Keys issued to individuals certainly should have short time limits
>>> on them.  In the same way that user accounts on systems should
>>> always have a near term expiry date set.  People are careless.
>>> And their motivations are subject to change.
>> James, though in general one is likely to agree with this, I still
>> consider the conclusion I came to after discussions more than decade
>> ago valid for myself. Namely: forcing everyone to change password
>> often pisses careful people off for nothing. Passwords they create
>> and carefully keep can stand for decades, and only can be
>> compromised on some compromised machine.
> But I never mentioned anything about passwords.  I quite agree with
> you with respect to avoiding needless password churn.  What I wrote
> was specifically user accounts and their expiry dates.  These should
> be short. Say six to twelve months or so.  When the account expires
> then it can be renewed for another six or 12 months.  The password for
> it is not changed.

We do not expire accounts until the person leaves the Department and grace
period passes. Then we do lock account and after some time person's files
are being deleted. This is the policy, and this is what we do. The only
time when account expiration is being set is for undergraduate students
who temporarily work with some professor. For them expiration is being
changed when the continue to work with the professor next academic year.

Is this not what everybody does?


> One can always write a script to automatically search for and report
> pending expirations.  There is no real need for accounts to actually
> expire.  But, even if accounts do expire for active users then it is
> not much of a hardship to report the fact and to have them
> reactivated.  On the other hand, disused accounts never get reported
> and remain deactivated.
> Also, when a person leaves our employ and somehow the cancellation of
> all or some their accounts gets overlooked in the out-processing then
> shortly their accounts will be deactivated automatically. A fail safe
> mechanism.
> --
> ***          e-Mail is NOT a SECURE channel          ***
>         Do NOT transmit sensitive data via e-Mail
>  Do NOT open attachments nor follow links sent by e-Mail
> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247