From owner-freebsd-security@FreeBSD.ORG Sat Sep 13 06:52:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60B141065675 for ; Sat, 13 Sep 2008 06:52:24 +0000 (UTC) (envelope-from kurin@delete.org) Received: from lithium.delete.org (lithium.delete.org [198.177.254.210]) by mx1.freebsd.org (Postfix) with ESMTP id 3ED268FC12 for ; Sat, 13 Sep 2008 06:52:18 +0000 (UTC) (envelope-from kurin@delete.org) Received: by lithium.delete.org (Postfix, from userid 1028) id 1A06D7F186; Sat, 13 Sep 2008 02:35:23 -0400 (EDT) Date: Sat, 13 Sep 2008 02:35:23 -0400 From: Toby Burress To: Khachatur Shahinyan Message-ID: <20080913063522.GA3784@lithium.delete.org> References: <48CB52AE.6070501@arca.am> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48CB52AE.6070501@arca.am> User-Agent: mutt-ng/devel-r804 (FreeBSD) X-Mailman-Approved-At: Sat, 13 Sep 2008 13:44:18 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 06:52:24 -0000 On Sat, Sep 13, 2008 at 10:42:06AM +0500, Khachatur Shahinyan wrote: > :passwordtime=90d:\ > :warnpassword=7d:\ > :warnexpire=7d:\ > >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd > file. > The fields which are reserved for password aging parameters are 0:0 > test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh > > And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( > I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are > welcome. You'll notice in the login.conf man page that these are in the "reserved capabilities" section: RESERVED CAPABILITIES The following capabilities are reserved for the purposes indicated and may be supported by third-party software. They are not implemented in the base system. For blocking repeated password attempts, check out security/pam_abl. Note that if sshd doesn't use PAM, it won't have any effect for ssh logins. A quick search doesn't show me any port for enforcing password age. For what it's worth, I once emailed Bruce Schneier about the effectiveness of that and he said he never changed his passwords (based on age, anyway). But there's probably something.