Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 6 Jul 2005 15:24:10 -0500
From:      Dan Nelson <dnelson@allantgroup.com>
To:        Mike Carlson <m87carlson@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Account password expiration
Message-ID:  <20050706202410.GB38925@dan.emsphone.com>
In-Reply-To: <fe1fa63f050706122852ab1eca@mail.gmail.com>
References:  <fe1fa63f050706122852ab1eca@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
In the last episode (Jul 06), Mike Carlson said:
> Is there a way in 5.x to have account passwords expire every 180
> days? Or I should say N days really. I think this was once tunable in
> /etc/login.conf but thats has been repalced with PAM.
> 
> Anyway, I just need account passwords to expire every 180 days, any
> help is appreciated.

It looks like pam_unix does check the passwd-change field in
master.passwd, but I don't see any code that resets the field when a
password is updated.  The login.conf and passwd manpages refer to a
"passwordtime" capability, but libpam zeroes out the change field when
the passwd is changed.  

Try the following patch.  After rebuilding pam_unix.so, edit
/etc/login.conf, set "passwordtime" to some short value like "10m", run
"cap_mkdb /etc/login.conf", change a password, and see if it expires in
10 minutes.

Index: pam_unix.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_unix/pam_unix.c,v
retrieving revision 1.49
diff -u -r1.49 pam_unix.c
--- pam_unix.c	10 Feb 2004 10:13:21 -0000	1.49
+++ pam_unix.c	6 Jul 2005 20:14:06 -0000
@@ -371,8 +371,10 @@
 		if ((old_pwd = pw_dup(pwd)) == NULL)
 			return (PAM_BUF_ERR);
 
-		pwd->pw_change = 0;
 		lc = login_getclass(NULL);
+		pwd->pw_change = login_getcaptime(lc, "passwordtime", 0, 0);
+		if (pwd->pw_change)
+			pwd->pw_change += time(NULL);
 		if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
 			openpam_log(PAM_LOG_ERROR,
 			    "can't set password cipher, relying on default");

-- 
	Dan Nelson
	dnelson@allantgroup.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050706202410.GB38925>