 Re: Preventing Auto-Login
c writes:
>We'd ideally like to be able to rotate the passwords after the
>developers leave and not leave this potiental for a back door into our
>systems.
In that case I would, if I were you, focus on the issue of access after the
developers leave.
For that, nothing beats deleting their accounts. When people leave, to avoid
having them log in to your computers, delete their accounts.
Note that you can delete the account by removing the line from /etc/passwd
without deleting its home directory, if you're concerned that there might be
valuable source code which they forgot to check in, etc.
But I suspect from your phrasing that you might have group accounts with
passwords known to multiple people. I think that this is the problem here.
Each account should have one user, only. When that person leaves, rather than
changing the password and giving the account to someone else, the account
should be deleted.
It's easy and cheap to create and delete accounts. It's difficult to manage
multi-user accounts.
 |