password aging

2003-06-06 Thread Glenn Johnson 
Is there any way to get password aging to work properly on FreeBSD?  It
seems every time I figure out how to work around one limitation, I come
across another one.

-- 
Glenn Johnson
USDA, ARS, SRRC  Phone: (504) 286-4252
New Orleans, LA 70124   e-mail: [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: password aging

2003-06-06 Thread Toni Schmidbauer 
On Thu, Jun 05, 2003 at 01:41:10PM -0500, Glenn Johnson wrote:
 Is there any way to get password aging to work properly on FreeBSD?  It
 seems every time I figure out how to work around one limitation, I come
 across another one.

man pw(8)

see options -e and -p

for example pw usermod luser -p 01072003, so the user has to
change his pw on 01-07-2003.

if this is not working for you, please post the error message.

hth,
toni
-- 
Behandle die Menschen, als wären sie, was sie sein | toni at stderror dot at
sollten, und du wirst ihnen helfen, zu werden, was | Toni Schmidbauer
sie sein können.  - Johann Wolfgang von Goethe |


pgp0.pgp
Description: PGP signature

Re: password aging

2003-06-06 Thread Glenn Johnson 
On Thu, Jun 05, 2003 at 09:28:28PM +0200, Toni Schmidbauer wrote:

 On Thu, Jun 05, 2003 at 01:41:10PM -0500, Glenn Johnson wrote:

  Is there any way to get password aging to work properly on FreeBSD?
  It seems every time I figure out how to work around one limitation,
  I come across another one.

 man pw(8)

 see options -e and -p

 for example pw usermod luser -p 01072003, so the user has to change
 his pw on 01-07-2003.

 if this is not working for you, please post the error message.

I know I was vague in my message, I was beating my head against the wall
at the time.  The implementation of a password aging scheme has been
mandated by my employer.

I have used pw -p to set the age field in master.passwd.

Problems:

[1] Password aging does not work with NIS, which I use.  My
understanding is that password aging does work with nisplus, but
FreeBSD does not have that.  I figured out how to work around this
by disabling console logins on the backend nodes and just having one
machine for logins that uses local password entries.  I adjusted
nsswitch.conf accordingly.  This is a cluster so that workaround is
satisfactory for my situation.

[2] After a user changes the password, the change field in master.passwd
is set back to 0.  I want the counter to start counting another 30
days.  A cron job can handle running 'pw usermod user -p +30d' so
this is no big deal but it would be nice to have an option to repeat
the time period of expiration.

[3] Password aging does not work with xdm/gdm/kdm.  I know this is not a 
FreeBSD problem and a script in the session startup files is needed
here.

[4] This is the show-stopper.  When the password is expired, ssh logins
fail.  There is no opportunity to change the password because the
connection is closed immediately.  I get the following error:

sshd[45700]: fatal: monitor_read: unsupported request: 24

So if I need to login remotely and the password has expired, I am
out of luck.

-- 
Glenn Johnson
USDA, ARS, SRRC  Phone: (504) 286-4252
New Orleans, LA 70124   e-mail: [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

password aging

2003-06-03 Thread Glenn Johnson 
I need to implement a password aging capability for my FreeBSD systems  
(5.0).  This is mandated by my employer.  I want to be able to have the 
user prompted to change the password every 30 days and disallow login   
if the password is not changed.  It would be nice to have a password
strength checker run as well before accepting the password. 

I figured out how to set the password expiry date but the password
change field is not updated in the master.passwd file after the password
is changed.  It looks like I am going to have to write some scripts to
handle this but I wanted to check with the list to see if any one could
offer any pointers, gotchas, etc.

Thanks.

-- 
Glenn Johnson
USDA, ARS, SRRC  Phone: (504) 286-4252
New Orleans, LA 70124   e-mail: [EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]