From owner-freebsd-questions@FreeBSD.ORG Wed Jul 14 15:16:38 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 258CC106568E for ; Wed, 14 Jul 2010 15:16:38 +0000 (UTC) (envelope-from fernan.aguero@gmail.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id A86AD8FC1F for ; Wed, 14 Jul 2010 15:16:37 +0000 (UTC) Received: by ewy26 with SMTP id 26so1595284ewy.13 for ; Wed, 14 Jul 2010 08:16:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=XiJ2TLPH/HWNJDvZDH8kZU5s+EN8ZaX5QkNyQr1fdaU=; b=q7JEZu2ulsSMoW8/uFlTY5Nu9vS76QjqXKCQS8NRrttQWzhfpU8mlVsfeHPSSmulo1 bZvJGbRWc+F85bRkByzWWZ1hZI4AA2jJOOu0hCRpTqH7kV/Kd6iU0DcjTt3YnLauj0AO 05dJAcyKLeRCEaRb7Hy2xnVCJzb1FBm7Nq8gY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=kkRq7iGZXyVPE7uzVQUw3utVmpYl7LBO6iML1AdhH4hvovdUOjFDXamAEuNVLVmfj0 om7UvJDcsY885w8Kyvbu0rm7zVbsNxrOGHx9wOZC0XSwo1f7Sc9Q0ZMI56cDnvg0l62T YK3O2lUbBTQh/qhaaktEwaG5esyIXeeSzpXqg= Received: by 10.213.13.20 with SMTP id z20mr1516399ebz.35.1279120596414; Wed, 14 Jul 2010 08:16:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.213.11.11 with HTTP; Wed, 14 Jul 2010 08:16:16 -0700 (PDT) In-Reply-To: References: From: Fernan Aguero Date: Wed, 14 Jul 2010 12:16:16 -0300 Message-ID: To: bf1783@gmail.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: login.conf: passwordtime not enforced? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2010 15:16:38 -0000 On Tue, Jul 13, 2010 at 10:19 PM, b. f. wrote: > > >after reading some docs about hardening freebsd installations, I > > decided to enforce password expiration after 90days. I've added the > > corresponding line to /etc/login.conf and ... after quite some time > > (way more than 3 months already!) nothing happens ... > > If you want help, you'll have to be more specific. Thanks bf1783, I'm sorry about that. My apologies. I just assumed that you assumed that I was doing the right thing(TM). :) > Exactly what changes did you make to login.conf, in what sections? I've changed only the default login class, and added and/or changed these l= ines: :passwd_format=3Dblf:\ :minpasswordlen=3D8:\ :mixpasswordcase=3Dtrue:\ :passwordtime=3D90d:\ :idletime=3D30:\ :umask=3D027: > Did you run 'cap_mkdb /etc/login.conf' afterwards? Of course I did. > Did you then reset your account passwords Of course. Now they all begin with $2a, as expected for blowfish-hashed pas= swds. > and check the sixth colon-delimited field in /etc/master.passwd with 'dat= e -r' for each account changed, to see if > the appropriate expiration date was registered? I don't quite get what 'date -r' does here ... but yes I've checked the 6th field in /etc/master.passwd, all accounts (regular users and system accounts) have a '0' in that field. > Next time you make a change like this, test it with a short expiration ti= me (a minute or > two, say) on a non-critical account to see if works instead of waiting > three months to discover that it does not. I usually assume that the docs are correct, and don't go about checking and re-checking that everything works as expected ... unless not for these trivial config tweaks. Of course I've checked that the newly created passwords (now using blf instead of md5) worked, but I just assumed that the rest of the config settings for this login class didn't require further checking ... if the blf change worked, why not the rest? Do you suggest that I should now go and check if the 'mixpasswordcase', 'minpasswordlen', 'idletime' or the 'umask' settings are honored? I just hope I don't need to ... :) > > Any ideas on how to enforce this? Do I have to manually use pw(1) every= 90 days? > > No, you shouldn't have to if you use the feature properly. =A0You'll be > prompted immediately after login for a new password if your old one > has expired. > > b. I just added a new class in login.conf: test:\ :tc=3Ddefault:\ ::passwordtime=3D2m: And then added a new user 'testaccount', using adduser(1). I've verified that its login class was OK in /etc/master.passwd (BTW again the 6th field is '0'). And I never got any message about the password being expired, after several succesful login attempts that, obvioulsy, spanned more than 2 minutes. Who is responsible for filling in the password expiration time/date in master.passwd, according to the login class config? passwd(1)? adduser(1)? Myself, manually? I guess this is the question I wanted answered in my first email. After reading, again the man page for master.passwd(5), saying that "The expire field is the number of seconds from the epoch, UTC, until the account expires." It's now clear to me that i) I can do it manually, eg. by running something like %date -j -f "%a %b %d %T %Z %Y" "`date -v+90d`" "+%s" 1286895815 and entering that value into the 6th field of /etc/master.passwd. But then, I'll have to do this regularly using a script, because, ii) passwd(1) fails to read the setting in login.conf and then add the corresponding expiration time (in seconds since the epoch) in /etc/master.passwd Unless, of course, I'm missing something ... after setting the expiration time to %date -j -f "%a %b %d %T %Z %Y" "`date -v+2M`" "+%s" 1279120340 And then waiting until this time has passed, nothing happens (I'm logging in remotely using SSH) ... no warning, no refuse to log me in, nothing. Is it at all possible to enforce password expiration times in FreeBSD? -- fernan