From owner-freebsd-security@FreeBSD.ORG Sat Sep 13 14:18:32 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 01F6D1065676 for ; Sat, 13 Sep 2008 14:18:32 +0000 (UTC) (envelope-from jon.passki@hursk.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.173]) by mx1.freebsd.org (Postfix) with ESMTP id D112F8FC1C for ; Sat, 13 Sep 2008 14:18:31 +0000 (UTC) (envelope-from jon.passki@hursk.com) Received: by wf-out-1314.google.com with SMTP id 24so1251173wfg.7 for ; Sat, 13 Sep 2008 07:18:31 -0700 (PDT) Received: by 10.142.222.21 with SMTP id u21mr1903363wfg.323.1221313705143; Sat, 13 Sep 2008 06:48:25 -0700 (PDT) Received: by 10.143.155.19 with HTTP; Sat, 13 Sep 2008 06:48:25 -0700 (PDT) Message-ID: Date: Sat, 13 Sep 2008 08:48:25 -0500 From: "Jon Passki" To: "Khachatur Shahinyan" In-Reply-To: <48CB52AE.6070501@arca.am> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <48CB52AE.6070501@arca.am> Cc: freebsd-security@freebsd.org Subject: Re: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 14:18:32 -0000 On Sat, Sep 13, 2008 at 12:42 AM, Khachatur Shahinyan wrote: > > Dear FreeBsd gurus, I have a problem concerning users password and authentication policies. The goal is > 1)make freebsd to lock users after 3 unsuccessful login attempts, > 2)force users to change their passwords every 90 days > > I've done such changes in Linux distros, with various PAM modules.But in Freebsd it seems that i need to use login.conf file. Here I made necessary changes in that file: > >>>>>> > default:\ > ............. > ............. > ............. :login-retries=1:\ > :passwordtime=90d:\ > :warnpassword=7d:\ > :warnexpire=7d:\ > >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd file. > The fields which are reserved for password aging parameters are 0:0 > test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh > > And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( > I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are welcome. login.conf manual page: [1] RESERVED CAPABILITIES The following capabilities are reserved for the purposes indicated and may be supported by third-party software. They are not implemented in the base system. [...] passwordtime time Used by passwd(1) to set next pass- word expiry date. [...] The other capabilities (warnpassword, warnexpire, login-retries) do not relate to lock-outs attempts. To my knowledge, there are no other capabilities that are supported by the base in login.conf that will lock out an account. This has been discussed prior [2,3]. It is not available in the base; the administrator has to manually do this. [1] http://www.freebsd.org/cgi/man.cgi?query=login.conf&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html [2] http://lists.freebsd.org/pipermail/freebsd-questions/2003-August/015073.html [3] http://lists.freebsd.org/pipermail/freebsd-questions/2008-February/167981.html Cheers, Jon