From owner-freebsd-hackers  Tue Mar 18 13:33:38 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id D872A37B401; Tue, 18 Mar 2003 13:33:36 -0800 (PST)
Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id AD39443F93; Tue, 18 Mar 2003 13:33:35 -0800 (PST)
	(envelope-from julian@elischer.org)
Received: from interjet.elischer.org (12-232-168-4.client.attbi.com[12.232.168.4])
          by sccrmhc02.attbi.com (sccrmhc02) with ESMTP
          id <2003031821333400200rpptge>; Tue, 18 Mar 2003 21:33:34 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id NAA80643;
	Tue, 18 Mar 2003 13:33:33 -0800 (PST)
Date: Tue, 18 Mar 2003 13:33:31 -0800 (PST)
From: Julian Elischer <julian@elischer.org>
To: re@freebsd.org, hackers@freebsd.org
Subject: rumour of password aging failure in 4.7/4.8RC
Message-ID: <Pine.BSF.4.21.0303181250540.79971-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


I've received a few reports from teh field that password aging
with ssh in 4.7 and 4.8RC is broken.

Is there anyone out there that is using passwork expiry 
and ssh? Who's the expert?


The method being used:
Define a class called the shellusers class in the /etc/login.conf.
Run cap_mkdb on the login.conf file
Go into the master.passwd file and expired an account.

According to our clients, after the account is expired SSH on 4.7
disallows any logins. It is supposed to allow your connection and then
just force you to change your password. On 4.8-RC ssh seems to be
totally ignoring the fact that the password is expired.
"login" on the other hand acts as expected.

Is this the correct procedure? (If not, what IS the correct proceedure?
Where is password expiry documented? (man login.conf and man passwd
seem the best references so far..).

How does PAM come into this?

The older version of SSH we have on the 4.4 boxes works with
the same password expiration set up without any problems.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message