From owner-freebsd-security@FreeBSD.ORG Sat Sep 13 21:05:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC228106567F for ; Sat, 13 Sep 2008 21:05:33 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from imlil.netoyen.net (imlil.netoyen.net [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id 7CF098FC19 for ; Sat, 13 Sep 2008 21:05:33 +0000 (UTC) (envelope-from mouss@netoyen.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=netoyen.net; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received: x-virus-scanned; s=msa; t=1221338850; bh=YtdxoVraot9ylWZEaKadMLd Au/M4unrAo3VmTxie95A=; b=lFiFEiSJgxzJwfbUdAS5ZAtKyrZlh5qcs4hD2HY ZwcBZF4redW2sstokMZnZVyRhBS5hCThGjGOUFCwY5fHDPXmeMvrgO9ppdVsrFZ7 4bLoEhQ2UAAqp+e7rF6S4Jm97vtT6hAC/Aw8ihp8UlE5Hyq/+Zc4zYk8KE6Zg7Qr JcmI= X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by smtp.netoyen.net (Postfix) with ESMTPSA id F2471E54829; Sat, 13 Sep 2008 22:47:29 +0200 (CEST) Message-ID: <48CC26A7.6020407@netoyen.net> Date: Sat, 13 Sep 2008 22:46:31 +0200 From: mouss User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Toby Burress References: <48CB52AE.6070501@arca.am> <20080913063522.GA3784@lithium.delete.org> In-Reply-To: <20080913063522.GA3784@lithium.delete.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org, Khachatur Shahinyan Subject: Re: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 21:05:33 -0000 Toby Burress wrote: > On Sat, Sep 13, 2008 at 10:42:06AM +0500, Khachatur Shahinyan wrote: >> :passwordtime=90d:\ >> :warnpassword=7d:\ >> :warnexpire=7d:\ >>>>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd >> file. >> The fields which are reserved for password aging parameters are 0:0 >> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh >> >> And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( >> I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are >> welcome. > > You'll notice in the login.conf man page that these are in the > "reserved capabilities" section: > > RESERVED CAPABILITIES > The following capabilities are reserved for the purposes indicated and > may be supported by third-party software. They are not implemented in > the base system. > > For blocking repeated password attempts, check out security/pam_abl. > Note that if sshd doesn't use PAM, it won't have any effect for ssh > logins. > > A quick search doesn't show me any port for enforcing password age. > For what it's worth, I once emailed Bruce Schneier about the > effectiveness of that and he said he never changed his passwords > (based on age, anyway). But there's probably something. Given that it's not easy to select a good password (both strong and easy to remember), password expiration sometimes result in weak passwords or in forgotten ones. or if no measure is taken against, people change to old ones. http://www.cryptosmith.com/sanity/expharmful.html http://www.rsa.com/blog/blog_entry.aspx?id=1286 http://www.cerias.purdue.edu/site/blog/post/password-change-myths/P50/ and the other side has its proponents of course: http://lopsa.org/node/29