From owner-freebsd-questions@FreeBSD.ORG Wed Jul 14 16:25:56 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 914391065670 for ; Wed, 14 Jul 2010 16:25:56 +0000 (UTC) (envelope-from bf1783@googlemail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 24EDF8FC16 for ; Wed, 14 Jul 2010 16:25:55 +0000 (UTC) Received: by wyf22 with SMTP id 22so9933wyf.13 for ; Wed, 14 Jul 2010 09:25:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:cc :content-type; bh=CBKrYHjsxTqT9Biutqw3GWbE4RUVWAlw3V55K1Tsra4=; b=h2d8N3zFi1Yzcpw24iRsDL53PQnk6xOaYbocA5f2DnjaEsgZuIfv6Dy+Sn4BLOiQA9 qEdiRfG9bye0TPY/d9LpwfmXb9Tdj8dZc+ORWkf08bOq5VnfToSM03NgcyktVD4uAzmJ bxZA+kRju0sWzuU02D4ahjfHb8NW45lLHjRkI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=itscd+ogh3d5BYzKzDSWNgBnQcHYUqh/e6Nk7Tof/xNa1qATfzUWn/UzKw6tQ2foe8 mupdzdn58jBxHtoK4NoQe70Ha5PhPSETNs24drhlcS1CMweJvX2c74KlwpGVh9euDHFu 23I5np+ngEovdKyc9QkcU6fbF1y9YzPd8dJjw= MIME-Version: 1.0 Received: by 10.216.231.230 with SMTP id l80mr7036731weq.53.1279124754569; Wed, 14 Jul 2010 09:25:54 -0700 (PDT) Received: by 10.216.171.10 with HTTP; Wed, 14 Jul 2010 09:25:54 -0700 (PDT) In-Reply-To: References: Date: Wed, 14 Jul 2010 16:25:54 +0000 Message-ID: From: "b. f." To: Fernan Aguero Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-questions@freebsd.org Subject: Re: login.conf: passwordtime not enforced? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bf1783@gmail.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2010 16:25:56 -0000 On 7/14/10, Fernan Aguero wrote: > On Tue, Jul 13, 2010 at 10:19 PM, b. f. wrote: > I'm sorry about that. My apologies. I just assumed that you assumed > that I was doing the right thing(TM). :) That would be a very bad assumption to make, when attempting to track down a problem. ... >> and check the sixth colon-delimited field in /etc/master.passwd with 'date >> -r' for each account changed, to see if >> the appropriate expiration date was registered? > > I don't quite get what 'date -r' does here ... but yes I've checked > the 6th field in /etc/master.passwd, all accounts (regular users and > system accounts) have a '0' in that field. It transforms the password expiration time to a more convenient format, for those of us who aren't counting machines. A 0 in the sixth field indicates that there is no expiration time, and something is wrong. >> Next time you make a change like this, test it with a short expiration >> time (a minute or >> two, say) on a non-critical account to see if works instead of waiting >> three months to discover that it does not. > > I usually assume that the docs are correct, and don't go about > checking and re-checking that everything works as expected ... unless > not for these trivial config tweaks. Of course I've checked that the > newly created passwords (now using blf instead of md5) worked, but I > just assumed that the rest of the config settings for this login class > didn't require further checking ... if the blf change worked, why not > the rest? > > Do you suggest that I should now go and check if the > 'mixpasswordcase', 'minpasswordlen', 'idletime' or the 'umask' > settings are honored? I just hope I don't need to ... :) The docs can be outdated, incomplete, or misinterpreted. Or your system could be misconfigured or broken. How much time and energy you put into your testing is up to you. If you're serious about security, you'll check your changes. Some of the above-mentioned are fairly easy to check. > I just added a new class in login.conf: > > test:\ > :tc=default:\ > ::passwordtime=2m: > > And then added a new user 'testaccount', using adduser(1). I've > verified that its login class was OK in /etc/master.passwd (BTW again > the 6th field is '0'). And I never got any message about the password > being expired, after several succesful login attempts that, obvioulsy, > spanned more than 2 minutes. > Bravo. The above is more of the kind of thing that needs to be done when trying to diagnose a problem. But I think you want: test:\ :passwordtime=2m:\ :tc=default: See the default login.conf and getcap(3). > Who is responsible for filling in the password expiration time/date in > master.passwd, according to the login class config? passwd(1)? > adduser(1)? Myself, manually? The first time you have to change it manually for each account, with passwd(1); thereafter pam_unix(8) checks for expiration at login time: if a password has expired, you are prompted to change it, and the new password will have the appropriate expiration time. It works for me locally, with the default security settings; I've never tried it over a remote connection. You may have some configuration settings that are causing problems. Have you tinkered with /etc/pam.d/* ? What other configuration changes have you made? After using cap_mkdb, have /etc/pwd.db and /etc/spwd.db changed? Do they have the right timestamps? Does the password change mechanism work properly if you are logging in locally, as opposed to remotely via ssh? Are your system clocks keeping the right time? > and entering that value into the 6th field of /etc/master.passwd. But > then, I'll have to do this regularly using a script, because, This shouldn't be necessary. It would be better to try to find out what is wrong. > Is it at all possible to enforce password expiration times in FreeBSD? Yes. But it will take some patience to track down your problem. b.