From owner-freebsd-questions@FreeBSD.ORG  Thu May 13 06:34:38 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BAC2316A4CE
	for <questions@freebsd.org>; Thu, 13 May 2004 06:34:38 -0700 (PDT)
Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id 089B243D2F
	for <questions@freebsd.org>; Thu, 13 May 2004 06:34:37 -0700 (PDT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	i4DDYEIU041610
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 13 May 2004 14:34:14 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)id i4DDYD6T041609;
	Thu, 13 May 2004 14:34:13 +0100 (BST)	(envelope-from matthew)
Date: Thu, 13 May 2004 14:34:13 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Piotr Gnyp <toread@discordia.pl>
Message-ID: <20040513133413.GD39379@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	Piotr Gnyp <toread@discordia.pl>, questions@freebsd.org
References: <Pine.BSF.4.58.0405131258380.94580@discordia.pl>
	<20040513111846.GC39379@happy-idiot-talk.infracaninophile.co.uk>
	<Pine.BSF.4.58.0405131320410.94580@discordia.pl>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="DrWhICOqskFTAXiy"
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.58.0405131320410.94580@discordia.pl>
User-Agent: Mutt/1.5.6i
X-Virus-Scanned: clamd / ClamAV version devel-20040504, clamav-milter version
	0.70u
X-Virus-Status: Clean
X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: questions@freebsd.org
Subject: Re: password expiry
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2004 13:34:38 -0000


--DrWhICOqskFTAXiy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, May 13, 2004 at 01:22:45PM +0200, Piotr Gnyp wrote:
> On Thu, 13 May 2004, Matthew Seaman <m.seaman@infracaninophile.co.uk> wro=
te:
>=20
> > On Thu, May 13, 2004 at 12:59:58PM +0200, Piotr Gnyp wrote:
> > > I`m trying to set password expiry for users, I`ve changed login.conf =
to:
> > >         :minpasswordlen=3D6:\
> > >         :passwordtime=3D30d:\
> > >         :warnpassword=3D1w:\
> > > But it doesn`t seem to work. What I`m missing, or where I will find t=
he
> > > answer. Plase advice.
> >     # cap_mkdb /etc/login.conf
> > perhaps?  Remember too that login.conf is only consulted at login
> > time, so you have to log out and back in again in order to see any
> > effects.
>=20
> done that, and also I`ve added to sshd_conf:
> UseLogin yes
> And no effect.
>=20
> Tried on 5.2.1-R-p6 and 4.10-PRER.

Ah... so you're using sshd(8).  You didn't happen to mention that
rather relevant information before.  Can you try logging in on the
console to test your changes?  If login.conf settings work on the
console then sshd is the problem.  Otherwise, it's the login.conf
stuff itself which is at fault.

sshd(8) defaults to trying it's own key based authentication and then
backing off to the standard PAM system to do user authentication --
see the ChallengResponseAuthentication entry in sshd_config(5).  At
the moment the default value of the relevant bit in /etc/pam.conf (4.x
-- not sure what 5.x uses) is:

    sshd    account required        pam_unix.so

and if you check the source code for the pam_sm_acct_mgmt() function
of pam_unix.so in /usr/src/lib/libpam/modules/pam_unix/pam_unix.c you
can see that the login.conf settings are checked when the session is
authenticated using Unix passwords.  OTOH if you're using ssh keys it
doesn't seem to check that way.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--DrWhICOqskFTAXiy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAo3lViD657aJF7eIRAiKpAKCldjcGhCsmeTpGyrX2rshZ61ixrgCeOz4R
a9aTitvm1un9oT79c1DNKlQ=
=s4nj
-----END PGP SIGNATURE-----

--DrWhICOqskFTAXiy--