Date: Sat, 13 Sep 2008 02:35:23 -0400 From: Toby Burress <kurin@delete.org> To: Khachatur Shahinyan <khachatur.shahinyan@arca.am> Cc: freebsd-security@freebsd.org Subject: Re: Freebsd auto locking users Message-ID: <20080913063522.GA3784@lithium.delete.org> In-Reply-To: <48CB52AE.6070501@arca.am>
index | next in thread | previous in thread | raw e-mail
On Sat, Sep 13, 2008 at 10:42:06AM +0500, Khachatur Shahinyan wrote:
> :passwordtime=90d:\
> :warnpassword=7d:\
> :warnexpire=7d:\
> >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd
> file.
> The fields which are reserved for password aging parameters are 0:0
> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh
>
> And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :(
> I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are
> welcome.
You'll notice in the login.conf man page that these are in the
"reserved capabilities" section:
RESERVED CAPABILITIES
The following capabilities are reserved for the purposes indicated and
may be supported by third-party software. They are not implemented in
the base system.
For blocking repeated password attempts, check out security/pam_abl.
Note that if sshd doesn't use PAM, it won't have any effect for ssh
logins.
A quick search doesn't show me any port for enforcing password age.
For what it's worth, I once emailed Bruce Schneier about the
effectiveness of that and he said he never changed his passwords
(based on age, anyway). But there's probably something.
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080913063522.GA3784>