On 12/04/2012 10:15, Jun Li BJ Zhao wrote: > To force local user in FreeBSD system changing their password periodically, > I want to set Password Change Time. I tried the following two ways, but > both failed. Could you please give me the correct operations? Thanks a lot! > > Method 1: > Added passwordtime=2m to /etc/login.conf, then run the command > cap_mkdb /etc/login.conf. > Result: password of any user was not expired after two minutes.
This just sets the default password expiry. If you created a new account after doing this, it should have the password expiry behaviour you expect. > Method 2: > Run the command pw usermod root -p 2m > Result: password of root was expired after two minutes. But after I changed > it one time, it would be never expired again. Method 1 is what you want to use to set a system-wide password expiry policy, and Method 2 is one way of applying that policy to existing accounts. You need to modify /etc/master.passwd to enable the policy on existing accounts after setting up /etc/login.conf . There are two master.passwd fields that control this functionality: Field 5: the users' class -- which entry in /etc/login.conf applies for this account. By default this is empty, which means 'use the default class.' Field 6: the time that account password must next be changed, given as a standard seconds-since-the-epoch unix time. If zero, then the password never expires. So to set the policy, decide on a login class for all your real users, add them to it, configure the class with your preferred password lifetime, then modify master.passwd to set the time when the first password change should happen for all existing accounts ('pw usermod -p time' is a way of dong that. Or you could just edit master.passwd directly if you want to set this in bulk.) With the login.conf policy in place passwd(1) should reset the 6th field appropriately next time the password is changed. The root account is special as regards this functionality. Try using an unprivileged account for testing purposes. Cheers Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey
signature.asc
Description: OpenPGP digital signature