From owner-freebsd-current@FreeBSD.ORG Tue Aug 5 08:25:47 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09ABA37B404; Tue, 5 Aug 2003 08:25:45 -0700 (PDT) Received: from HAL9000.homeunix.com (ip114.bella-vista.sfo.interquest.net [66.199.86.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7725243F75; Tue, 5 Aug 2003 08:25:44 -0700 (PDT) (envelope-from das@freebsd.org) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.9/8.12.9) with ESMTP id h75FPhjX000984; Tue, 5 Aug 2003 08:25:43 -0700 (PDT) (envelope-from das@freebsd.org) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.9/8.12.9/Submit) id h75FPg0G000983; Tue, 5 Aug 2003 08:25:42 -0700 (PDT) (envelope-from das@freebsd.org) Date: Tue, 5 Aug 2003 08:25:42 -0700 From: David Schultz To: Mats Larsson Message-ID: <20030805152542.GA752@HAL9000.homeunix.com> Mail-Followup-To: Mats Larsson , freebsd-current@freebsd.org, des@FreeBSD.ORG References: <20030802150826.D35850@marvin.sko.mh.se> <20030804061719.GB873@HAL9000.homeunix.com> <20030805122042.T55344@marvin.sko.mh.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030805122042.T55344@marvin.sko.mh.se> cc: freebsd-current@freebsd.org cc: des@freebsd.org Subject: Re: warnpassword and warnexpire in 5.1 login.conf X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 15:25:47 -0000 On Tue, Aug 05, 2003, Mats Larsson wrote: > Sure, run cap_mkdb on every edit on login.conf > > The values im trying to use there are the following: > :warnexpire=28d:\ > :warnpassword=14d:\ > > And with pw i use the following to test with: (also with -e option) > pw usermod user -p +10d > > The only thing im getting now is i warning in messages when i try to login > into a locked account. > > Aug 5 12:14:39 marvin sshd[55256]: error: PAM: user accound has expired This looks reasonable. > And the following varning when password is old: > Aug 5 12:27:38 marvin sshd[55386]: error: PAM: OK > Aug 5 12:27:40 marvin sshd[55390]: fatal: PAM: chauthtok not supprted with privsep > > Is there perhaps a better PAM way of doing this things now?? Hmm... Apparently you can't change an expired password with a privilege-separated OpenSSH. I don't know whether that can be fixed, but perhaps des@ has some insight.