From owner-freebsd-questions@FreeBSD.ORG Wed Jul 6 20:24:17 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8785B16A41C for ; Wed, 6 Jul 2005 20:24:17 +0000 (GMT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E4D843D49 for ; Wed, 6 Jul 2005 20:24:17 +0000 (GMT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.13.1/8.13.3) id j66KOAB6051861; Wed, 6 Jul 2005 15:24:10 -0500 (CDT) (envelope-from dan) Date: Wed, 6 Jul 2005 15:24:10 -0500 From: Dan Nelson To: Mike Carlson Message-ID: <20050706202410.GB38925@dan.emsphone.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 5.4-STABLE X-message-flag: Outlook Error User-Agent: Mutt/1.5.9i Cc: freebsd-questions@freebsd.org Subject: Re: Account password expiration X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 20:24:17 -0000 In the last episode (Jul 06), Mike Carlson said: > Is there a way in 5.x to have account passwords expire every 180 > days? Or I should say N days really. I think this was once tunable in > /etc/login.conf but thats has been repalced with PAM. > > Anyway, I just need account passwords to expire every 180 days, any > help is appreciated. It looks like pam_unix does check the passwd-change field in master.passwd, but I don't see any code that resets the field when a password is updated. The login.conf and passwd manpages refer to a "passwordtime" capability, but libpam zeroes out the change field when the passwd is changed. Try the following patch. After rebuilding pam_unix.so, edit /etc/login.conf, set "passwordtime" to some short value like "10m", run "cap_mkdb /etc/login.conf", change a password, and see if it expires in 10 minutes. Index: pam_unix.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_unix/pam_unix.c,v retrieving revision 1.49 diff -u -r1.49 pam_unix.c --- pam_unix.c 10 Feb 2004 10:13:21 -0000 1.49 +++ pam_unix.c 6 Jul 2005 20:14:06 -0000 @@ -371,8 +371,10 @@ if ((old_pwd = pw_dup(pwd)) == NULL) return (PAM_BUF_ERR); - pwd->pw_change = 0; lc = login_getclass(NULL); + pwd->pw_change = login_getcaptime(lc, "passwordtime", 0, 0); + if (pwd->pw_change) + pwd->pw_change += time(NULL); if (login_setcryptfmt(lc, password_hash, NULL) == NULL) openpam_log(PAM_LOG_ERROR, "can't set password cipher, relying on default"); -- Dan Nelson dnelson@allantgroup.com