Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Apr 2012 13:10:06 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@FreeBSD.org
Subject:   Re: How to set Password Change Time in FreeBSD
Message-ID:  <4F86C61E.2000100@FreeBSD.org>
In-Reply-To: <OF6CADE337.849CD658-ON482579DE.00319FFE-482579DE.0032D92C@cn.ibm.com>
References:  <OF6CADE337.849CD658-ON482579DE.00319FFE-482579DE.0032D92C@cn.ibm.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigDD133275794A4C963C2A8B28
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 12/04/2012 10:15, Jun Li BJ Zhao wrote:
> To force local user in FreeBSD system changing their password periodica=
lly,
> I want to set Password Change Time. I tried the following two ways, but=

> both failed. Could you please give me the correct operations? Thanks a =
lot!
>=20
> Method 1:
> Added passwordtime=3D2m to /etc/login.conf, then run the command
> cap_mkdb /etc/login.conf.
> Result: password of any user was not expired after two minutes.

This just sets the default password expiry.  If you created a new
account after doing this, it should have the password expiry behaviour
you expect.

> Method 2:
> Run the command pw usermod root -p 2m
> Result: password of root was expired after two minutes. But after I cha=
nged
> it one time, it would be never expired again.

Method 1 is what you want to use to set a system-wide password expiry
policy, and Method 2 is one way of applying that policy to existing
accounts.  You need to modify /etc/master.passwd to enable the policy on
existing accounts after setting up /etc/login.conf . There are two
master.passwd fields that control this functionality:

    Field 5: the users' class -- which entry in /etc/login.conf applies
    for this account.  By default this is empty, which means 'use the
    default class.'

    Field 6: the time that account password must next be changed, given
    as a standard seconds-since-the-epoch unix time.  If zero, then the
    password never expires.

So to set the policy, decide on a login class for all your real users,
add them to it, configure the class with your preferred password
lifetime, then modify master.passwd to set the time when the first
password change should happen for all existing accounts ('pw usermod -p
time' is a way of dong that.  Or you could just edit master.passwd
directly if you want to set this in bulk.)  With the login.conf policy
in place passwd(1) should reset the 6th field appropriately next time
the password is changed.

The root account is special as regards this functionality.  Try using an
unprivileged account for testing purposes.

	Cheers

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



--------------enigDD133275794A4C963C2A8B28
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk+GxiUACgkQ8Mjk52CukIyhhgCYrSXtR7n9az7tsGMEydxobyEP
ZQCeMC+Ii3WFiXbNwi9drZ/GumhAaJk=
=NE90
-----END PGP SIGNATURE-----

--------------enigDD133275794A4C963C2A8B28--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4F86C61E.2000100>