From owner-freebsd-questions@FreeBSD.ORG Wed Jul 14 20:02:35 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45242106567D for ; Wed, 14 Jul 2010 20:02:35 +0000 (UTC) (envelope-from fernan.aguero@gmail.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id BDE7E8FC31 for ; Wed, 14 Jul 2010 20:02:34 +0000 (UTC) Received: by ewy26 with SMTP id 26so44314ewy.13 for ; Wed, 14 Jul 2010 13:02:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=tc0hqqSAxRh9UGEcb3Pbo9ozayfEz8o5zHhQrWrJ7C0=; b=PBVYPmHHBH1lPhobWRpJSgYKzpoJgUkgYiBMsbGfcSvgy23KXDOQvGWiOSxMMMYNMh syfcNDeSqAAaIg7QtnrwRS7OK2o0o31EJK618S73+17ByjbadfPaG63wttQrNd+aaW2h /3t3UYGUul/QsoJHAYxRaAdKTT9nQqPTa9Y+4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=hovJWhsZOE5Y/P6um0RoLRIIiUCz68yt0rU0sE8ndVmeD+bpD0Y7Wi2q2lcYUc/Xuj sjQTkdnJIV5X7aI0ndOgBzXMNdLlwQk3bzLB/xMLCsDjVpSPvBXOmabxC1ixvo4tdTkd uyIWb3qcoWmGzvD8XLtYZIxXRtlYKWKk3wtRc= Received: by 10.213.33.73 with SMTP id g9mr1875914ebd.41.1279137753267; Wed, 14 Jul 2010 13:02:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.213.28.71 with HTTP; Wed, 14 Jul 2010 13:02:13 -0700 (PDT) In-Reply-To: References: From: Fernan Aguero Date: Wed, 14 Jul 2010 17:02:13 -0300 Message-ID: To: bf1783@gmail.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: login.conf: passwordtime not enforced? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2010 20:02:35 -0000 On Wed, Jul 14, 2010 at 1:25 PM, b. f. wrote: > On 7/14/10, Fernan Aguero wrote: >> On Tue, Jul 13, 2010 at 10:19 PM, b. f. wrote: > >> I'm sorry about that. My apologies. I just assumed that you assumed >> that I was doing the right thing(TM). :) > > That would be a very bad assumption to make, when attempting to track > down a problem. > ... Right, I thought it was simpler than it really is ... this is getting scary= . >>> Next time you make a change like this, test it with a short expiration >>> time (a minute or >>> two, say) on a non-critical account to see if works instead of waiting >>> three months to discover that it does not. >> >> I usually assume that the docs are correct, and don't go about >> checking and re-checking that everything works as expected ... unless >> not for these trivial config tweaks. Of course I've checked that the >> newly created passwords (now using blf instead of md5) worked, but I >> just assumed that the rest of the config settings for this login class >> didn't require further checking ... if the blf change worked, why not >> the rest? >> >> Do you suggest that I should now go and check if the >> 'mixpasswordcase', 'minpasswordlen', 'idletime' or the 'umask' >> settings are honored? I just hope I don't need to ... :) > > The docs can be outdated, incomplete, or misinterpreted. =A0Or your > system could be misconfigured or broken. =A0How much time and energy you > put into your testing is up to you. =A0If you're serious about security, > you'll check your changes. =A0Some of the above-mentioned are fairly > easy to check. Right, should have checked before talking ... see below, >> I just added a new class in login.conf: >> >> test:\ >> =A0 =A0 =A0 =A0 :tc=3Ddefault:\ >> =A0 =A0 =A0 =A0 ::passwordtime=3D2m: >> >> And then added a new user 'testaccount', using adduser(1). I've >> verified that its login class was OK in /etc/master.passwd (BTW again >> the 6th field is '0'). And I never got any message about the password >> being expired, after several succesful login attempts that, obvioulsy, >> spanned more than 2 minutes. > Bravo. The above is more of the kind of thing that needs to be done > when trying to diagnose a problem. =A0But I think you want: > =A0test:\ > =A0 =A0:passwordtime=3D2m:\ > =A0 =A0 :tc=3Ddefault: > > See the default login.conf and getcap(3). OK, changed this, but got mixed results, see below. >> Who is responsible for filling in the password expiration time/date in >> master.passwd, according to the login class config? passwd(1)? >> adduser(1)? Myself, manually? > > The first time you have to change it manually for each account, with > passwd(1); Sorry if I'm getting dense but do you mean 'manually' as in editing master.passwd with vipw? Or do you really mean 'manually with passwd(1)? My passwd(1) only allows me to change the user password and even doing this doesn't update the expiration time in master.passwd. Is there a hidden functionality in passwd that allows me to set the expiration time for the password? BTW, this is on FreeBSD-6.4-p10. And so far all my tests fail to make passwords expire. But I just tested the same changes on a recent 7.3-STABLE. And: i) the first time, passwd(1) doesn't update the expiration time in master.passwd, I have to enter it manually using vipw ii) using ssh and trying to log in after the expiration period makes the system prompt for a new password, with no further explanation about what's going on, i.e.: [fernan@localhost] ssh testaccount@otherhost Password: New Password: So, the password is getting expired. However, iii) the 6th field in master.passwd for this account is reset to '0' after setting the new password. This happens if I set the new password as prompted using ssh, or if I run passwd(1) on a terminal. And, iv) I was able to enter a 5 character password, no mixed case, all letters, completely ignoring the other settings in the default login class (minpasswordlen=3D8, mixpasswordcase=3Dtrue). > thereafter pam_unix(8) checks for expiration at login time: > if a password has expired, you are prompted to change it, correct in FreeBSD-7.3-STABLE > and the new password will have the appropriate expiration time. not in my case. > It works for me locally, with the default security settings; I've never t= ried it over > a remote connection. which FreeBSD version are you using? >=A0You may have some configuration settings that > are causing problems. =A0Have you tinkered with /etc/pam.d/* ? No. > What other configuration changes have you made? Some mentioned in http://tuxtraining.com/2009/04/26/how-to-harden-freebsd > After using cap_mkdb, have /etc/pwd.db and /etc/spwd.db changed? =A0Do th= ey have the right > timestamps? After using cap_mkdb on /etc/login.conf, /etc/login.conf.db gets changed, y= es. And after editing master.passwd with vipw, all of /etc/pwd.db, /etc/spwd.db and /etc/passwd all get changed. Timestamps are OK and reasonable. >=A0Does the password change mechanism work properly if you > are logging in locally, as opposed to remotely via ssh? Yes in FreeBSD-7.3-STABLE. Not in 6.4. > Are your system clocks keeping the right time? Yes. >> and entering that value into the 6th field of /etc/master.passwd. But >> then, I'll have to do this regularly using a script, because, > > This shouldn't be necessary. =A0It would be better to try to find out > what is wrong. > >> Is it at all possible to enforce password expiration times in FreeBSD? > > Yes. =A0But it will take some patience to track down your problem. > > b. Thanks for all the help. --=20 fernan