Re: Help with password expire

From: Glenn Johnson <glennpj_at_charter.net>
Date: Sun, 7 Sep 2003 19:00:40 -0500
On Sun, Sep 07, 2003 at 04:31:33PM -0700, Chris Petrik wrote:

> I am trying to use freebsd's way of password expiration to make it so
> i need to change my password every 30 days ive got:
> :warnpassword=4d:\
> :passwordtime=30d:
> in my /etc/login.conf did a cap_mkdb /etc/login.conf i tryed to change
> the password of one of my users using passwd and it doesnt seem to
> add a change time to it according to chpass the:  Change [month day
> year]: stays unchanged but if i manually add the change time using pw
> it adds the change time but if i change the password it doesnt add a
> new change time do i need to edit the /etc/pam.d/passwd and uncomment
> the top line thats commented out ? cause it seems to be broken atm as
> it doesnt do what i ask it to do. if you need anythign else please let
> me know

A password expiry system is not natively implemented in FreeBSD although
the password expiry field in the password database allows one to set up
a system.

The users on the system where I work log in mostly via gdm so I set
up some checks in the PreSession file to check the password expiry
field and call passwd if the password has expired.  After a successful
password change, the pw command is called to reset the expiry field.  To
catch the case where a user changes the password at a time other than
when prompted via the PreSession script I set up a script that runs via
periodic/daily.  This script checks the expiry field and if 0 it calls
pw to set the expiry field to the appropriate value.  Since this runs
daily, the assumption is that the password was changed within the last
24 hours.

The password warning feature works really well with gdm as it pops up a
dialog box.  There is no warning at console logins but I am the only one
allowed to login at the console so that is not a big deal for me but 
may be for you.

There is a warning displayed during an ssh login but it is very easy
to miss it as it scrolls off the screen.  One warning about ssh: Once
the user's password has expired, ssh will not allow the login thereby
locking out that user from that mode of access.  This is not FreeBSD
specific.

There are probably several ways to write scripts for this and they would 
have to be tailored to your situation but hopefully I have given you 
some ideas about how to proceed.  One thing that will definitely 
influence how you ultimately set this up is whether you use NIS or not.

-- 
Glenn Johnson
glennpj_at_charter.net
Received on Sun Sep 07 2003 - 15:00:44 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:21 UTC