Freia Staff Page

Other documentation for freia is on the IRTF Team Drive

For purpose & set up, see IRTF_TEAM_DRIVE > COMPUTERS-NETWORK > PC > 2021-05-freia

Managing the user account on host freia

Change in password policies

See Server World: Pwquality : Set Password Rules

Increase the password length to 12 from too low limit of 5 in /etc/login.defs ... 

...
# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    12
PASS_WARN_AGE   7
...

Update /etc/pam.d/system-auth to remember last 5 passwords ... 

password    sufficient   pam_unix.so sha512 shadow nullok use_authtok remember=5

Update password 'quality' in /etc/security/pwquality.conf ... 

# Changed, from 8, minimum length.
minlen = 12

# Changed, from 0, 'maximum number of allowed consecutive same characters'.
maxrepeat = 3

# Changed, from 0, to 'check for the words from the passwd entry GECOS string of
# the user'
gecoscheck = 1

Generate above policy-following password

Install apg package ... 

dnf install apg

Generate one password (-n 1) between 12-24 characters (-m 12 -x 24) that is 'pronounceable' (-a 0) ... 

apg -n 1 -m 12 -x 24 -a 0

... a wrapper script on the above has been installed in /usr/local/bin/make-password.sh. It is also in /root/root/bin/make-password.sh.

Assigning an new account

  1. Stop the VNC instance and copy the template files. 
       # stop vnc desktop (as root)
   systemctl stop    vncserver@:N.service

   # login, make new home directory for new account
   ssh freia -l fguestN
   find . -xdev -mindepth 1 -maxdepth 1  \
      ! -name .cshrc ! -name .login ! -name .logout -print  -exec rm -r {} \;
   tar xvf /aux1/guest_template.tar

   # Run '/usr/local/bin/make-password.sh' to generate a password.
   #
   # Set account password via 'passwd' & VNC password (same as account
   # password) via 'vncpasswd' for the user account.
   #
   # Re-start VNC desktop  (as root)
   systemctl restart vncserver@:N.service
  2. Log in via VNC and test
    • disable screensaver & lock screen, display power management (Power Manager) via Applications -> Settings -> Screensaver.
  3. Expire the above set password to force the user to set a new password ... 
       passwd -e fguestN
  4. Email user with (see email template for new account):
    • account information;
    • contact for help with login & VNC;
    • contact for support scientist.

Account History

See account-use.

Deactivating an account

  1. Notify the user via email about account expiry & inform that account could be extend on request (see email template for account about to expire);
  2. In case of account BEING EXTENDED: make a note in current account list and SKIP the NEXT step.
  3. In case of account NOT being EXTENDED ...
    1. Stop the VNC server: systemctl stop vncserver@:N.service.
    2. Change passwd, vncpasswd to deny access. (See agp ... command to generate a password.)
    3. Remove all the file in account home, /home/fguestN, directory.