From owner-freebsd-questions@FreeBSD.ORG Thu Apr 12 12:10:18 2012 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44CC5106564A for ; Thu, 12 Apr 2012 12:10:18 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id B84748FC0A for ; Thu, 12 Apr 2012 12:10:17 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q3CCADDo017436 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 12 Apr 2012 13:10:14 +0100 (BST) (envelope-from matthew@FreeBSD.org) X-DKIM: OpenDKIM Filter v2.5.1 smtp.infracaninophile.co.uk q3CCADDo017436 Authentication-Results: smtp.infracaninophile.co.uk/q3CCADDo017436; dkim=none (no signature); dkim-adsp=none Message-ID: <4F86C61E.2000100@FreeBSD.org> Date: Thu, 12 Apr 2012 13:10:06 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 To: freebsd-questions@FreeBSD.org References: In-Reply-To: X-Enigmail-Version: 1.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigDD133275794A4C963C2A8B28" X-Virus-Scanned: clamav-milter 0.97.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: Subject: Re: How to set Password Change Time in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2012 12:10:18 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDD133275794A4C963C2A8B28 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 12/04/2012 10:15, Jun Li BJ Zhao wrote: > To force local user in FreeBSD system changing their password periodica= lly, > I want to set Password Change Time. I tried the following two ways, but= > both failed. Could you please give me the correct operations? Thanks a = lot! >=20 > Method 1: > Added passwordtime=3D2m to /etc/login.conf, then run the command > cap_mkdb /etc/login.conf. > Result: password of any user was not expired after two minutes. This just sets the default password expiry. If you created a new account after doing this, it should have the password expiry behaviour you expect. > Method 2: > Run the command pw usermod root -p 2m > Result: password of root was expired after two minutes. But after I cha= nged > it one time, it would be never expired again. Method 1 is what you want to use to set a system-wide password expiry policy, and Method 2 is one way of applying that policy to existing accounts. You need to modify /etc/master.passwd to enable the policy on existing accounts after setting up /etc/login.conf . There are two master.passwd fields that control this functionality: Field 5: the users' class -- which entry in /etc/login.conf applies for this account. By default this is empty, which means 'use the default class.' Field 6: the time that account password must next be changed, given as a standard seconds-since-the-epoch unix time. If zero, then the password never expires. So to set the policy, decide on a login class for all your real users, add them to it, configure the class with your preferred password lifetime, then modify master.passwd to set the time when the first password change should happen for all existing accounts ('pw usermod -p time' is a way of dong that. Or you could just edit master.passwd directly if you want to set this in bulk.) With the login.conf policy in place passwd(1) should reset the 6th field appropriately next time the password is changed. The root account is special as regards this functionality. Try using an unprivileged account for testing purposes. Cheers Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enigDD133275794A4C963C2A8B28 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAk+GxiUACgkQ8Mjk52CukIyhhgCYrSXtR7n9az7tsGMEydxobyEP ZQCeMC+Ii3WFiXbNwi9drZ/GumhAaJk= =NE90 -----END PGP SIGNATURE----- --------------enigDD133275794A4C963C2A8B28--