From owner-freebsd-questions@FreeBSD.ORG Thu Jun 5 15:35:47 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB18C37B401 for ; Thu, 5 Jun 2003 15:35:47 -0700 (PDT) Received: from symbion.srrc.usda.gov (symbion.srrc.usda.gov [199.133.86.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 897E343F93 for ; Thu, 5 Jun 2003 15:35:46 -0700 (PDT) (envelope-from gjohnson@srrc.ars.usda.gov) Received: from node1.cluster.srrc.usda.gov (localhost [127.0.0.1]) by symbion.srrc.usda.gov (8.12.9/8.12.9) with ESMTP id h55MZieA047445 for ; Thu, 5 Jun 2003 17:35:44 -0500 (CDT) (envelope-from glenn@node1.cluster.srrc.usda.gov) Received: (from glenn@localhost)h55MZhHl047444 for questions@freebsd.org; Thu, 5 Jun 2003 17:35:43 -0500 (CDT) Date: Thu, 5 Jun 2003 17:35:43 -0500 From: Glenn Johnson To: questions@freebsd.org Message-ID: <20030605223543.GA42527@node1.cluster.srrc.usda.gov> Mail-Followup-To: questions@freebsd.org References: <20030605184110.GA94982@node1.cluster.srrc.usda.gov> <20030605192828.GG1555@devil.stderror.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030605192828.GG1555@devil.stderror.at> User-Agent: Mutt/1.4.1i Subject: Re: password aging X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jun 2003 22:35:48 -0000 On Thu, Jun 05, 2003 at 09:28:28PM +0200, Toni Schmidbauer wrote: > On Thu, Jun 05, 2003 at 01:41:10PM -0500, Glenn Johnson wrote: > > > Is there any way to get password aging to work properly on FreeBSD? > > It seems every time I figure out how to work around one limitation, > > I come across another one. > > man pw(8) > > see options -e and -p > > for example "pw usermod luser -p 01072003", so the user has to change > his pw on 01-07-2003. > > if this is not working for you, please post the error message. I know I was vague in my message, I was beating my head against the wall at the time. The implementation of a password aging scheme has been mandated by my employer. I have used pw -p to set the age field in master.passwd. Problems: [1] Password aging does not work with NIS, which I use. My understanding is that password aging does work with nisplus, but FreeBSD does not have that. I figured out how to work around this by disabling console logins on the backend nodes and just having one machine for logins that uses local password entries. I adjusted nsswitch.conf accordingly. This is a cluster so that workaround is satisfactory for my situation. [2] After a user changes the password, the change field in master.passwd is set back to 0. I want the counter to start counting another 30 days. A cron job can handle running 'pw usermod user -p +30d' so this is no big deal but it would be nice to have an option to repeat the time period of expiration. [3] Password aging does not work with xdm/gdm/kdm. I know this is not a FreeBSD problem and a script in the session startup files is needed here. [4] This is the show-stopper. When the password is expired, ssh logins fail. There is no opportunity to change the password because the connection is closed immediately. I get the following error: sshd[45700]: fatal: monitor_read: unsupported request: 24 So if I need to login remotely and the password has expired, I am out of luck. -- Glenn Johnson USDA, ARS, SRRC Phone: (504) 286-4252 New Orleans, LA 70124 e-mail: gjohnson@srrc.ars.usda.gov