On Thu, May 13, 2004 at 01:22:45PM +0200, Piotr Gnyp wrote: > On Thu, 13 May 2004, Matthew Seaman <[EMAIL PROTECTED]> wrote: > > > On Thu, May 13, 2004 at 12:59:58PM +0200, Piotr Gnyp wrote: > > > I`m trying to set password expiry for users, I`ve changed login.conf to: > > > :minpasswordlen=6:\ > > > :passwordtime=30d:\ > > > :warnpassword=1w:\ > > > But it doesn`t seem to work. What I`m missing, or where I will find the > > > answer. Plase advice. > > # cap_mkdb /etc/login.conf > > perhaps? Remember too that login.conf is only consulted at login > > time, so you have to log out and back in again in order to see any > > effects. > > done that, and also I`ve added to sshd_conf: > UseLogin yes > And no effect. > > Tried on 5.2.1-R-p6 and 4.10-PRER.
Ah... so you're using sshd(8). You didn't happen to mention that rather relevant information before. Can you try logging in on the console to test your changes? If login.conf settings work on the console then sshd is the problem. Otherwise, it's the login.conf stuff itself which is at fault. sshd(8) defaults to trying it's own key based authentication and then backing off to the standard PAM system to do user authentication -- see the ChallengResponseAuthentication entry in sshd_config(5). At the moment the default value of the relevant bit in /etc/pam.conf (4.x -- not sure what 5.x uses) is: sshd account required pam_unix.so and if you check the source code for the pam_sm_acct_mgmt() function of pam_unix.so in /usr/src/lib/libpam/modules/pam_unix/pam_unix.c you can see that the login.conf settings are checked when the session is authenticated using Unix passwords. OTOH if you're using ssh keys it doesn't seem to check that way. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK
Description: PGP signature