From owner-freebsd-questions@FreeBSD.ORG Wed Jul 14 01:19:49 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14C31106566B for ; Wed, 14 Jul 2010 01:19:49 +0000 (UTC) (envelope-from bf1783@googlemail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id A37768FC08 for ; Wed, 14 Jul 2010 01:19:48 +0000 (UTC) Received: by wyf22 with SMTP id 22so1088119wyf.13 for ; Tue, 13 Jul 2010 18:19:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to:date :message-id:subject:from:to:cc:content-type; bh=VrdUU9ZYANN6YxaiP3PY+4ZJddhwfOSafKmuRwovudg=; b=qWJnj49nQfLfmXxWFQ+GdIHv+K/pbIOC5GduigGcJQbFDzBFnAmoSQ8ynYXTQX89Ne J61ademXUoas3mudWvAtx+dZYRCJ3u/zsn0AlFaK6MKK4aFWIp63m3zGDBS+DByy+YEN zzhqat3E7kK7j0yh0RSPoeFi+htaIbQ7+ATZM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:cc :content-type; b=uKpDXQJlz9geznTiFbCZwLI9oGRwFJjh3LtnK3FggAEUPaXf/UpuDzG3K2cP0uFD0T lUEkqWrF6Zqk2avy83tKpPir33SRHuO93Hni7KqFvhAL3Mfbuw5rXRwo4kbaLilsjJIN 8W99JFV/lPI+NbyDhX8LXCZ8GOWcwenUNRUf4= MIME-Version: 1.0 Received: by 10.227.133.148 with SMTP id f20mr6891022wbt.35.1279070387543; Tue, 13 Jul 2010 18:19:47 -0700 (PDT) Received: by 10.216.171.10 with HTTP; Tue, 13 Jul 2010 18:19:47 -0700 (PDT) Date: Wed, 14 Jul 2010 01:19:47 +0000 Message-ID: From: "b. f." To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Fernan Aguero Subject: Re: login.conf: passwordtime not enforced? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bf1783@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2010 01:19:49 -0000 >after reading some docs about hardening freebsd installations, I > decided to enforce password expiration after 90days. I've added the > corresponding line to /etc/login.conf and ... after quite some time > (way more than 3 months already!) nothing happens ... If you want help, you'll have to be more specific. Exactly what changes did you make to login.conf, in what sections? Did you run 'cap_mkdb /etc/login.conf' afterwards? Did you then reset your account passwords and check the sixth colon-delimited field in /etc/master.passwd with 'date -r' for each account changed, to see if the appropriate expiration date was registered? Next time you make a change like this, test it with a short expiration time (a minute or two, say) on a non-critical account to see if works instead of waiting three months to discover that it does not. > Any ideas on how to enforce this? Do I have to manually use pw(1) every 90 days? No, you shouldn't have to if you use the feature properly. You'll be prompted immediately after login for a new password if your old one has expired. b.