Date: Sat, 13 Sep 2008 08:48:25 -0500 From: "Jon Passki" <jon.passki@hursk.com> To: "Khachatur Shahinyan" <khachatur.shahinyan@arca.am> Cc: freebsd-security@freebsd.org Subject: Re: Freebsd auto locking users Message-ID: <cc6847e40809130648x1fc28960p93320610ebe09df6@mail.gmail.com> In-Reply-To: <48CB52AE.6070501@arca.am> References: <48CB52AE.6070501@arca.am>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Sep 13, 2008 at 12:42 AM, Khachatur Shahinyan
<khachatur.shahinyan@arca.am> wrote:
>
> Dear FreeBsd gurus, I have a problem concerning users password and authentication policies. The goal is
> 1)make freebsd to lock users after 3 unsuccessful login attempts,
> 2)force users to change their passwords every 90 days
>
> I've done such changes in Linux distros, with various PAM modules.But in Freebsd it seems that i need to use login.conf file. Here I made necessary changes in that file:
> >>>>>>
> default:\
> .............
> .............
> ............. :login-retries=1:\
> :passwordtime=90d:\
> :warnpassword=7d:\
> :warnexpire=7d:\
> >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd file.
> The fields which are reserved for password aging parameters are 0:0
> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh
>
> And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :(
> I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are welcome.
login.conf manual page: [1]
RESERVED CAPABILITIES
The following capabilities are reserved for the purposes indicated and
may be supported by third-party software. They are not implemented in
the base system.
[...]
passwordtime time Used by passwd(1) to set next pass-
word expiry date.
[...]
The other capabilities (warnpassword, warnexpire, login-retries) do
not relate to lock-outs attempts. To my knowledge, there are no other
capabilities that are supported by the base in login.conf that will
lock out an account. This has been discussed prior [2,3]. It is not
available in the base; the administrator has to manually do this.
[1] http://www.freebsd.org/cgi/man.cgi?query=login.conf&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html
[2] http://lists.freebsd.org/pipermail/freebsd-questions/2003-August/015073.html
[3] http://lists.freebsd.org/pipermail/freebsd-questions/2008-February/167981.html
Cheers,
Jon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cc6847e40809130648x1fc28960p93320610ebe09df6>