Date: Thu, 15 Jul 2010 18:01:10 +0000 From: "b. f." <bf1783@googlemail.com> To: Fernan Aguero <fernan.aguero@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: login.conf: passwordtime not enforced? Message-ID: <AANLkTimQmrpxRSvcyfjD7x0zE-YIBQB4yzjxwT0Ym_az@mail.gmail.com> In-Reply-To: <AANLkTille9ndo1ih_1jmUoXstfrtCFHOqSk1zusHyfEi@mail.gmail.com> References: <AANLkTikuegIq4Pc7zN5pkm40LkkCVW3tazSwtDemNsXy@mail.gmail.com> <AANLkTintrJOpJasxeNnxEZHCUmXz2CAsWg9-LT4irY2v@mail.gmail.com> <AANLkTikokMVfNWzE3k9dSfutHWO7I9LNk1QYyzsS0ikl@mail.gmail.com> <AANLkTille9ndo1ih_1jmUoXstfrtCFHOqSk1zusHyfEi@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/14/10, Fernan Aguero <fernan.aguero@gmail.com> wrote: > On Wed, Jul 14, 2010 at 1:25 PM, b. f. <bf1783@googlemail.com> wrote: >> On 7/14/10, Fernan Aguero <fernan.aguero@gmail.com> wrote: ... >> The first time you have to change it manually for each account, with >> passwd(1); > > Sorry if I'm getting dense but do you mean 'manually' as in editing > master.passwd with vipw? > Or do you really mean 'manually with passwd(1)? My passwd(1) only > allows me to change the user password and even doing this doesn't > update the expiration time in master.passwd. Is there a hidden > functionality in passwd that allows me to set the expiration time for > the password? Yes, I meant with passwd(1). After some preliminaries, passwd(1) hands the task over to pam(3), in particular pam_sm_chauthtok(3) of pam_unix(8). This in turn uses the pw_* routines of libutil, contained in /usr/src/lib/libutil/pw_util.c. The pw_* use various libc functions and pwd_mkdb(8). The handling of the reserved capabilities minpasswordlen, mixpasswordcase, passwordtime, etc. needs at least to be in pam(3), for when you are prompted to reset your password, and should probably be implemented in the other utilities that don't use pam(3), like chpass(1), pw(8), and the vipw(8) consistency checks. It looks like passwd(1) used to deal with these capabilities directly, but in April 2002 it was gutted and turned into a front-end for pam(3), and some of the options-handling fell by the wayside. In Feb. 2010, in response to http://www.FreeBSD.org/cgi/query-pr.cgi?pr=bin/93310 des@, who is responsible for pam(3), added passwordtime-handling in: http://svn.freebsd.org/viewvc/base?view=revision&revision=203377 At the time, he announced that it would be merged, at least into 8-STABLE (and subsequently into 8.1), in one week. He never performed this merge: I assume that he forgot. So unfortunately it looks as if you will have to manually set password expiration times. You could do this, for example, with vipw(8); or with pw(8) and either a -p argument or a password_days entry in pw.conf(5). Or you could add the patch from the above PR to your system pam_unix(8) sources and rebuild them, or update to 9-CURRENT (which is what I am using). I'm guessing that some of the other reserved options are neglected as well. You could enforce them manually, or patch pam_unix(8), chpass(1), pw(8), and vipw(8). If you do so, you should submit PRs with your patches, in the hopes that someone will reintroduce them into the base-system utilities. Ironically, the stripped-down /usr/src/release/picobsd/tinyware/passwd/local_passwd.c still handles some of them -- you could look at that for ideas. Incidentally, If I were you, I would update at least to the latest stable release of FreeBSD, unless you are constrained to use the earlier releases for some work-related reason. b.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimQmrpxRSvcyfjD7x0zE-YIBQB4yzjxwT0Ym_az>