From owner-freebsd-questions@FreeBSD.ORG  Sun Jul 10 03:20:24 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 131D516A41C
	for <freebsd-questions@freebsd.org>;
	Sun, 10 Jul 2005 03:20:24 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BB3E043D45
	for <freebsd-questions@freebsd.org>;
	Sun, 10 Jul 2005 03:20:23 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.13.1/8.13.3) id j6A3K54S036405;
	Sat, 9 Jul 2005 22:20:05 -0500 (CDT) (envelope-from dan)
Date: Sat, 9 Jul 2005 22:20:04 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: jdyke@azimapower.com
Message-ID: <20050710032004.GB5116@dan.emsphone.com>
References: <42D08423.5080401@azimapower.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <42D08423.5080401@azimapower.com>
X-OS: FreeBSD 5.4-STABLE
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.9i
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject: Re: password rotation and unique constraint
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jul 2005 03:20:24 -0000

In the last episode (Jul 09), Jeff said:
> i'd like to configure pw.conf to force password expiration.  is there
> anyway to ensure the user can not change it to the same password.  i
> don't need to keep the last 7 or anything, just stop it being the
> same from the last one.  If/when i need the last N password, i'd
> assume i'd have to move to LDAP?

Should be easy enough to add a check to the passwd source to make sure
that the old password doesn't match the new one.  As for storing the
last 7 passwords and checking against them, I don't see any reason LDAP
would be required.  It doesn't magically add this support.  If you're
already using NIS (you didn't say), you can add code to rpc.yppasswdd
to store the old password hashes somewhere and check against them
before accepting a new password change.

-- 
	Dan Nelson
	dnelson@allantgroup.com