Date: Sat, 13 Sep 2008 22:46:31 +0200 From: mouss <mouss@netoyen.net> To: Toby Burress <kurin@delete.org> Cc: freebsd-security@freebsd.org, Khachatur Shahinyan <khachatur.shahinyan@arca.am> Subject: Re: Freebsd auto locking users Message-ID: <48CC26A7.6020407@netoyen.net> In-Reply-To: <20080913063522.GA3784@lithium.delete.org> References: <48CB52AE.6070501@arca.am> <20080913063522.GA3784@lithium.delete.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Toby Burress wrote: > On Sat, Sep 13, 2008 at 10:42:06AM +0500, Khachatur Shahinyan wrote: >> :passwordtime=90d:\ >> :warnpassword=7d:\ >> :warnexpire=7d:\ >>>>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd >> file. >> The fields which are reserved for password aging parameters are 0:0 >> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh >> >> And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( >> I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are >> welcome. > > You'll notice in the login.conf man page that these are in the > "reserved capabilities" section: > > RESERVED CAPABILITIES > The following capabilities are reserved for the purposes indicated and > may be supported by third-party software. They are not implemented in > the base system. > > For blocking repeated password attempts, check out security/pam_abl. > Note that if sshd doesn't use PAM, it won't have any effect for ssh > logins. > > A quick search doesn't show me any port for enforcing password age. > For what it's worth, I once emailed Bruce Schneier about the > effectiveness of that and he said he never changed his passwords > (based on age, anyway). But there's probably something. Given that it's not easy to select a good password (both strong and easy to remember), password expiration sometimes result in weak passwords or in forgotten ones. or if no measure is taken against, people change to old ones. http://www.cryptosmith.com/sanity/expharmful.html http://www.rsa.com/blog/blog_entry.aspx?id=1286 http://www.cerias.purdue.edu/site/blog/post/password-change-myths/P50/ and the other side has its proponents of course: http://lopsa.org/node/29
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48CC26A7.6020407>