Been working on some security hardening procedures for a RedHat box, and I wanted to know if would be possible to prevent a user from changing his password, once it's expired.
For one of our clients the requirement is that they must only have access to the server through temporary accounts, meaning that once the user credentials are created, password must expire within 4 hours, and once password expires, only root should be able to change it.
For the first requirement (passwords expiring after 4 hours), I guess it could be achieved by setting passwordMaxAge = 144000. But I still couldn't find a way of preventing the users of changing expired passwords, without turning off password expiration.
Can anyone help?