From owner-freebsd-current@FreeBSD.ORG Sun Sep 7 17:00:44 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4220B16A4BF for ; Sun, 7 Sep 2003 17:00:44 -0700 (PDT) Received: from remt21.cluster1.charter.net (remt21.cluster1.charter.net [209.225.8.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D9C843FE5 for ; Sun, 7 Sep 2003 17:00:43 -0700 (PDT) (envelope-from glennpj@charter.net) Received: from [24.158.214.251] (HELO gforce.johnson.home) by remt21.cluster1.charter.net (CommuniGate Pro SMTP 4.0.6) with ESMTP id 149564345; Sun, 07 Sep 2003 20:00:42 -0400 Received: from gforce.johnson.home (localhost [127.0.0.1]) by gforce.johnson.home (8.12.9/8.12.9) with ESMTP id h8800ecA000831; Sun, 7 Sep 2003 19:00:40 -0500 (CDT) (envelope-from glenn@gforce.johnson.home) Received: (from glenn@localhost) by gforce.johnson.home (8.12.9/8.12.9/Submit) id h8800eJ8000830; Sun, 7 Sep 2003 19:00:40 -0500 (CDT) (envelope-from glenn) From: Glenn Johnson Date: Sun, 7 Sep 2003 19:00:40 -0500 To: Chris Petrik Message-ID: <20030908000040.GA750@gforce.johnson.home> Mail-Followup-To: Chris Petrik , freebsd-current@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: freebsd-current@freebsd.org Subject: Re: Help with password expire X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2003 00:00:44 -0000 On Sun, Sep 07, 2003 at 04:31:33PM -0700, Chris Petrik wrote: > I am trying to use freebsd's way of password expiration to make it so > i need to change my password every 30 days ive got: > :warnpassword=4d:\ > :passwordtime=30d: > in my /etc/login.conf did a cap_mkdb /etc/login.conf i tryed to change > the password of one of my users using passwd and it doesnt seem to > add a change time to it according to chpass the: Change [month day > year]: stays unchanged but if i manually add the change time using pw > it adds the change time but if i change the password it doesnt add a > new change time do i need to edit the /etc/pam.d/passwd and uncomment > the top line thats commented out ? cause it seems to be broken atm as > it doesnt do what i ask it to do. if you need anythign else please let > me know A password expiry system is not natively implemented in FreeBSD although the password expiry field in the password database allows one to set up a system. The users on the system where I work log in mostly via gdm so I set up some checks in the PreSession file to check the password expiry field and call passwd if the password has expired. After a successful password change, the pw command is called to reset the expiry field. To catch the case where a user changes the password at a time other than when prompted via the PreSession script I set up a script that runs via periodic/daily. This script checks the expiry field and if 0 it calls pw to set the expiry field to the appropriate value. Since this runs daily, the assumption is that the password was changed within the last 24 hours. The password warning feature works really well with gdm as it pops up a dialog box. There is no warning at console logins but I am the only one allowed to login at the console so that is not a big deal for me but may be for you. There is a warning displayed during an ssh login but it is very easy to miss it as it scrolls off the screen. One warning about ssh: Once the user's password has expired, ssh will not allow the login thereby locking out that user from that mode of access. This is not FreeBSD specific. There are probably several ways to write scripts for this and they would have to be tailored to your situation but hopefully I have given you some ideas about how to proceed. One thing that will definitely influence how you ultimately set this up is whether you use NIS or not. -- Glenn Johnson glennpj@charter.net