From owner-freebsd-questions@FreeBSD.ORG Tue Jul 13 18:40:37 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 199F4106566C for ; Tue, 13 Jul 2010 18:40:37 +0000 (UTC) (envelope-from fernan.aguero@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id A32DA8FC16 for ; Tue, 13 Jul 2010 18:40:36 +0000 (UTC) Received: by eyh6 with SMTP id 6so943923eyh.13 for ; Tue, 13 Jul 2010 11:40:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=1G2YQltTbFas+Poam6Ii13p7xJhvxbh/GOQ54/735vk=; b=OHFCh3buq9mh8a5r/WvA3XEgnWEoitfPm8RyF/wWF/ZglxiyaUENzaVIybYZw/BRrx Wt+n+4SJSHf2mLXr1Z+xVaXkVikGYKmP0L4MzFbYpmYB16AViLf6hd/Nm7s+bWVZwH7I YjvyRMv9S8q0WsufJ1D6U+aPv9h0XM+4DTmKg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=SyFllLP8PTo3He0l4oBCrw2YZHZdZeX2CRW5MWdScdGwDVtfAHn3T/GmHRzsiw1HNO rKNKl0g8qRM5VRQQe00TnXldVYC1UOHcbVSKOKOBdLsHhSDLvgAl6jLxyeVtasZLt2Cr BJd4TwLcTFMQHxSlo7qt34qTHZ22lMODHAxQ4= Received: by 10.213.14.9 with SMTP id e9mr230899eba.72.1279046434267; Tue, 13 Jul 2010 11:40:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.213.11.11 with HTTP; Tue, 13 Jul 2010 11:40:14 -0700 (PDT) From: Fernan Aguero Date: Tue, 13 Jul 2010 15:40:14 -0300 Message-ID: To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: login.conf: passwordtime not enforced? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jul 2010 18:40:37 -0000 Hi, after reading some docs about hardening freebsd installations, I decided to enforce password expiration after 90days. I've added the corresponding line to /etc/login.conf and ... after quite some time (way more than 3 months already!) nothing happens ... Just googled around, and noticed this functionality seems to be absent from the base system ... only passwd(1) seems to honor this value, but truth is, when I need to use passwd(1) it's because I want to change the password myself! There is a post that mentions that having blowfish (instead of md5) as a 'passwd_format' works ... http://www.daemonforums.org/showpost.php?s=41d1e0ba423c94357afe805dbe0b2730&p=17826&postcount=5 However, I wonder if it worked for the author of the post, only because he manually set the password expiry date using 'pw usermod [username] -p [date]' Any ideas on how to enforce this? Do I have to manually use pw(1) every 90 days? -- fernan PS: other references to this problem: http://markmail.org/message/f5b5o3vsyo7pcozf http://lists.freebsd.org/pipermail/freebsd-security/2008-September/004934.html