From owner-freebsd-questions@FreeBSD.ORG  Wed Dec 13 09:48:13 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 815B016A492
	for <freebsd-questions@freebsd.org>;
	Wed, 13 Dec 2006 09:48:13 +0000 (UTC)
	(envelope-from mexas@bristol.ac.uk)
Received: from diri.bris.ac.uk (diri.bris.ac.uk [137.222.10.112])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BEE6C43CAA
	for <freebsd-questions@freebsd.org>;
	Wed, 13 Dec 2006 09:46:44 +0000 (GMT)
	(envelope-from mexas@bristol.ac.uk)
Received: from isis.bris.ac.uk ([137.222.10.63])
	by diri.bris.ac.uk with esmtp (Exim 4.63)
	(envelope-from <mexas@bristol.ac.uk>)
	id 1GuQiU-0001Qa-Dd; Wed, 13 Dec 2006 09:48:12 +0000
Received: from mech-aslap33.men.bris.ac.uk ([137.222.184.33])
	by isis.bris.ac.uk with esmtp (Exim 4.60)
	(envelope-from <mexas@bristol.ac.uk>)
	id 1GuQhf-00031U-8c; Wed, 13 Dec 2006 09:47:07 +0000
Received: from mech-aslap33.men.bris.ac.uk (localhost.men.bris.ac.uk
	[127.0.0.1])
	by mech-aslap33.men.bris.ac.uk (8.13.8/8.13.4) with ESMTP id
	kBD9j5Cb045708; Wed, 13 Dec 2006 09:45:05 GMT
	(envelope-from mexas@bristol.ac.uk)
Received: (from shterenl@localhost)
	by mech-aslap33.men.bris.ac.uk (8.13.8/8.13.4/Submit) id kBD9j5fq045707;
	Wed, 13 Dec 2006 09:45:05 GMT (envelope-from mexas@bristol.ac.uk)
X-Authentication-Warning: mech-aslap33.men.bris.ac.uk: shterenl set sender to
	mexas@bristol.ac.uk using -f
Date: Wed, 13 Dec 2006 09:45:05 +0000
From: Anton Shterenlikht <mexas@bristol.ac.uk>
To: Erik Norgaard <norgaard@locolomo.org>
Message-ID: <20061213094505.GA45652@mech-aslap33.men.bris.ac.uk>
Mail-Followup-To: Erik Norgaard <norgaard@locolomo.org>,
	freebsd-questions@freebsd.org
References: <20061207142439.GA20896@mech-aslap33.men.bris.ac.uk>
	<4579D1B2.1060202@locolomo.org>
	<20061212121526.GA40735@mech-aslap33.men.bris.ac.uk>
	<457F1D38.60202@locolomo.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <457F1D38.60202@locolomo.org>
User-Agent: Mutt/1.4.2.2i
X-Spam-Score: -1.2
X-Spam-Level: -
Cc: freebsd-questions@freebsd.org
Subject: Re: periodic passwd change?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2006 09:48:13 -0000

On Tue, Dec 12, 2006 at 10:20:56PM +0100, Erik Norgaard wrote:
> Anton Shterenlikht wrote:
> >On Fri, Dec 08, 2006 at 09:57:22PM +0100, Erik Norgaard wrote:
> >>Anton Shterenlikht wrote:
> >>>	I can't see how to prescribe periodic passwd change,
> >>>only how to set expiry time. At the moment I put the following
> >>>line in the root's crontab:
> >>>
> >>>2 2 2 * * pw usermod shterenl -p "`date '+\%d-\%m-\%Y'`"
> >>>
> >>>This makes a user's passwd expire once a month.
> >>>
> >>>Is there a better way to force users change their passwds periodically?
> >>You can set it in login.conf, when the password is updated the next 
> >>expire is automatically set.
> >
> >I checked login.conf. It seems that passwordtime option has no effect.
> >I did a brief search and found many postings describing the same problem:
> >many options from login.conf have no effect. Perhaps these are the
> >"RESERVED CAPABILITIES' as they are called in the man page. Some people
> >list a patch that supposedly fixes the problem, but I'm not sure if it
> >applies to 6.2-prerelease thatI'm running.
> >
> >thanks
> >anton
> did you remember to cap_mkdb after? from the man page:
> 
> "Whenever changes to this, or the user's ~/.login_conf, file are made, 
> the modifications will not be picked up until cap_mkdb(1) is used to 
> compile the file into a database."
> 
> Cheers, Erik

	yes, I did. Other options, e.g. passwd_prompt from
Authentication category do work, but passwordtime has no effect.
There are plenty of similar accounts I found on the net, e.g.:

www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-02/0039.html

"Many login.conf accounting and authentication options broken
Date: Mon, 3 Feb 2003 05:40:48 -0800
From: David Schultz <dschultz@uclink.Berkeley.EDU>
To: security@FreeBSD.ORG

   Most of the accounting options in login.conf(5) and many examples
   in /etc/login.conf don't seem to work. I can't even find any
   evidence of a mechanism to support them. (Perhaps an old-timer
   can tell me where one used to exist, if it used to exist.) ..."

thanks
anton