Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 13 May 2004 14:34:13 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Piotr Gnyp <toread@discordia.pl>
Cc:        questions@freebsd.org
Subject:   Re: password expiry
Message-ID:  <20040513133413.GD39379@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <Pine.BSF.4.58.0405131320410.94580@discordia.pl>
References:  <Pine.BSF.4.58.0405131258380.94580@discordia.pl> <20040513111846.GC39379@happy-idiot-talk.infracaninophile.co.uk> <Pine.BSF.4.58.0405131320410.94580@discordia.pl>

next in thread | previous in thread | raw e-mail | index | archive | help

--DrWhICOqskFTAXiy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, May 13, 2004 at 01:22:45PM +0200, Piotr Gnyp wrote:
> On Thu, 13 May 2004, Matthew Seaman <m.seaman@infracaninophile.co.uk> wro=
te:
>=20
> > On Thu, May 13, 2004 at 12:59:58PM +0200, Piotr Gnyp wrote:
> > > I`m trying to set password expiry for users, I`ve changed login.conf =
to:
> > >         :minpasswordlen=3D6:\
> > >         :passwordtime=3D30d:\
> > >         :warnpassword=3D1w:\
> > > But it doesn`t seem to work. What I`m missing, or where I will find t=
he
> > > answer. Plase advice.
> >     # cap_mkdb /etc/login.conf
> > perhaps?  Remember too that login.conf is only consulted at login
> > time, so you have to log out and back in again in order to see any
> > effects.
>=20
> done that, and also I`ve added to sshd_conf:
> UseLogin yes
> And no effect.
>=20
> Tried on 5.2.1-R-p6 and 4.10-PRER.

Ah... so you're using sshd(8).  You didn't happen to mention that
rather relevant information before.  Can you try logging in on the
console to test your changes?  If login.conf settings work on the
console then sshd is the problem.  Otherwise, it's the login.conf
stuff itself which is at fault.

sshd(8) defaults to trying it's own key based authentication and then
backing off to the standard PAM system to do user authentication --
see the ChallengResponseAuthentication entry in sshd_config(5).  At
the moment the default value of the relevant bit in /etc/pam.conf (4.x
-- not sure what 5.x uses) is:

    sshd    account required        pam_unix.so

and if you check the source code for the pam_sm_acct_mgmt() function
of pam_unix.so in /usr/src/lib/libpam/modules/pam_unix/pam_unix.c you
can see that the login.conf settings are checked when the session is
authenticated using Unix passwords.  OTOH if you're using ssh keys it
doesn't seem to check that way.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--DrWhICOqskFTAXiy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAo3lViD657aJF7eIRAiKpAKCldjcGhCsmeTpGyrX2rshZ61ixrgCeOz4R
a9aTitvm1un9oT79c1DNKlQ=
=s4nj
-----END PGP SIGNATURE-----

--DrWhICOqskFTAXiy--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040513133413.GD39379>