How to set Password Change Time in FreeBSD

Matthew Seaman matthew at FreeBSD.org
Thu Apr 12 12:10:18 UTC 2012 

On 12/04/2012 10:15, Jun Li BJ Zhao wrote:
> To force local user in FreeBSD system changing their password periodically,
> I want to set Password Change Time. I tried the following two ways, but
> both failed. Could you please give me the correct operations? Thanks a lot!
> 
> Method 1:
> Added passwordtime=2m to /etc/login.conf, then run the command
> cap_mkdb /etc/login.conf.
> Result: password of any user was not expired after two minutes.

This just sets the default password expiry.  If you created a new
account after doing this, it should have the password expiry behaviour
you expect.

> Method 2:
> Run the command pw usermod root -p 2m
> Result: password of root was expired after two minutes. But after I changed
> it one time, it would be never expired again.

Method 1 is what you want to use to set a system-wide password expiry
policy, and Method 2 is one way of applying that policy to existing
accounts.  You need to modify /etc/master.passwd to enable the policy on
existing accounts after setting up /etc/login.conf . There are two
master.passwd fields that control this functionality:

    Field 5: the users' class -- which entry in /etc/login.conf applies
    for this account.  By default this is empty, which means 'use the
    default class.'

    Field 6: the time that account password must next be changed, given
    as a standard seconds-since-the-epoch unix time.  If zero, then the
    password never expires.

So to set the policy, decide on a login class for all your real users,
add them to it, configure the class with your preferred password
lifetime, then modify master.passwd to set the time when the first
password change should happen for all existing accounts ('pw usermod -p
time' is a way of dong that.  Or you could just edit master.passwd
directly if you want to set this in bulk.)  With the login.conf policy
in place passwd(1) should reset the 6th field appropriately next time
the password is changed.

The root account is special as regards this functionality.  Try using an
unprivileged account for testing purposes.

	Cheers

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120412/db60d375/signature.pgp

More information about the freebsd-questions mailing list