On Fri, June 17, 2016 11:50 am, James B. Byrne wrote: > > On Fri, June 17, 2016 12:31, Valeri Galtsev wrote: >> >> On Fri, June 17, 2016 10:19 am, James B. Byrne wrote: >> >>> Keys issued to individuals certainly should have short time limits >>> on them. In the same way that user accounts on systems should >>> always have a near term expiry date set. People are careless. >>> And their motivations are subject to change. >> >> James, though in general one is likely to agree with this, I still >> consider the conclusion I came to after discussions more than decade >> ago valid for myself. Namely: forcing everyone to change password >> often pisses careful people off for nothing. Passwords they create >> and carefully keep can stand for decades, and only can be >> compromised on some compromised machine. > > But I never mentioned anything about passwords. I quite agree with > you with respect to avoiding needless password churn. What I wrote > was specifically user accounts and their expiry dates. These should > be short. Say six to twelve months or so. When the account expires > then it can be renewed for another six or 12 months. The password for > it is not changed. We do not expire accounts until the person leaves the Department and grace period passes. Then we do lock account and after some time person's files are being deleted. This is the policy, and this is what we do. The only time when account expiration is being set is for undergraduate students who temporarily work with some professor. For them expiration is being changed when the continue to work with the professor next academic year. Is this not what everybody does? Valeri > > One can always write a script to automatically search for and report > pending expirations. There is no real need for accounts to actually > expire. But, even if accounts do expire for active users then it is > not much of a hardship to report the fact and to have them > reactivated. On the other hand, disused accounts never get reported > and remain deactivated. > > Also, when a person leaves our employ and somehow the cancellation of > all or some their accounts gets overlooked in the out-processing then > shortly their accounts will be deactivated automatically. A fail safe > mechanism. > > -- > *** e-Mail is NOT a SECURE channel *** > Do NOT transmit sensitive data via e-Mail > Do NOT open attachments nor follow links sent by e-Mail > > James B. Byrne mailto:ByrneJB at Harte-Lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++