From owner-freebsd-questions@FreeBSD.ORG Sat Jun 30 20:15:14 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6CCFD16A400 for ; Sat, 30 Jun 2007 20:15:14 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 2284413C484 for ; Sat, 30 Jun 2007 20:15:14 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=H/kB4swZhgbEGOejwZ0nPHkxnrX63W94j+FWK34bkweNTS3tLUuQH7XHhuASE6O9mz3oHAmjE+0R5yUglquGwagplc03+TB65iA2DAk+sk3TM8Bi0uHzzFo57xQSYlkbt7H46mktNk+XMeWuQ/B73DTvxRM+tGvBufJ8MQt1/Wk=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1I4j6n-000Az2-RA; Sat, 30 Jun 2007 23:59:53 +0400 Date: Sat, 30 Jun 2007 23:59:49 +0400 From: Eygene Ryabinkin To: Patrick Dung Message-ID: <20070630195949.GA1240@void.codelabs.ru> References: <105872.23286.qm@web54305.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <105872.23286.qm@web54305.mail.re2.yahoo.com> Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 Cc: freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org Subject: Re: password againg and other policy enforcement X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jun 2007 20:15:14 -0000 Patrick, good day. Sat, Jun 30, 2007 at 10:12:59AM -0700, Patrick Dung wrote: > 1. Administrator can enforce password expire in /etc/login.conf In the /etc/master.passwd. login.conf has the fields, but does not implement the functionality, if the manpage is right: ===== RESERVED CAPABILITIES The following capabilities are reserved for the purposes indicated and may be supported by third-party software. They are not implemented in the base system. Name Type Notes Description <...> expireperiod time Time for expiry allocation. graceexpire time Grace days for expired account. ===== But the following fields are working: > Is there any tool that can check when the password will expire for the > users? Yep, ===== $ LANG=C date -r `pw showuser | cut -d: -f 6` Tue Jan 20 00:00:00 MSK 2009 $ LANG=C date -r `pw showuser | cut -d: -f 7` Sat Feb 28 00:00:00 MSK 2009 ==== > 2. Any good way to enforce minimum password length and other > restriction(like password need at least 2 numbers, 2 special char)? > > 3. Any ways to prevent user reuse old password? man pam_passwdqc, search for the 'match' and 'similar'. But for the '3.': user still can change his password to something and immediately bounce back to the old password. The longer password history changes the chain length, but does not solve the problem completely. The complete password history can help, but it is out of the passwdqc's scope: it just checks against the current password. -- Eygene