password aging

Glenn Johnson gjohnson at srrc.ars.usda.gov
Thu Jun 5 15:35:48 PDT 2003 

On Thu, Jun 05, 2003 at 09:28:28PM +0200, Toni Schmidbauer wrote:

> On Thu, Jun 05, 2003 at 01:41:10PM -0500, Glenn Johnson wrote:
>
> > Is there any way to get password aging to work properly on FreeBSD?
> > It seems every time I figure out how to work around one limitation,
> > I come across another one.
>
> man pw(8)
>
> see options -e and -p
>
> for example "pw usermod luser -p 01072003", so the user has to change
> his pw on 01-07-2003.
>
> if this is not working for you, please post the error message.

I know I was vague in my message, I was beating my head against the wall
at the time.  The implementation of a password aging scheme has been
mandated by my employer.

I have used pw -p to set the age field in master.passwd.

Problems:

[1] Password aging does not work with NIS, which I use.  My
    understanding is that password aging does work with nisplus, but
    FreeBSD does not have that.  I figured out how to work around this
    by disabling console logins on the backend nodes and just having one
    machine for logins that uses local password entries.  I adjusted
    nsswitch.conf accordingly.  This is a cluster so that workaround is
    satisfactory for my situation.

[2] After a user changes the password, the change field in master.passwd
    is set back to 0.  I want the counter to start counting another 30
    days.  A cron job can handle running 'pw usermod user -p +30d' so
    this is no big deal but it would be nice to have an option to repeat
    the time period of expiration.

[3] Password aging does not work with xdm/gdm/kdm.  I know this is not a 
    FreeBSD problem and a script in the session startup files is needed
    here.

[4] This is the show-stopper.  When the password is expired, ssh logins
    fail.  There is no opportunity to change the password because the
    connection is closed immediately.  I get the following error:

    sshd[45700]: fatal: monitor_read: unsupported request: 24
    
    So if I need to login remotely and the password has expired, I am
    out of luck.

-- 
Glenn Johnson
USDA, ARS, SRRC			 Phone: (504) 286-4252
New Orleans, LA 70124		e-mail: gjohnson at srrc.ars.usda.gov

More information about the freebsd-questions mailing list