Freebsd auto locking users
Toby Burress
kurin at delete.org
Sat Sep 13 06:52:24 UTC 2008
On Sat, Sep 13, 2008 at 10:42:06AM +0500, Khachatur Shahinyan wrote:
> :passwordtime=90d:\
> :warnpassword=7d:\
> :warnexpire=7d:\
> >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd
> file.
> The fields which are reserved for password aging parameters are 0:0
> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh
>
> And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :(
> I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are
> welcome.
You'll notice in the login.conf man page that these are in the
"reserved capabilities" section:
RESERVED CAPABILITIES
The following capabilities are reserved for the purposes indicated and
may be supported by third-party software. They are not implemented in
the base system.
For blocking repeated password attempts, check out security/pam_abl.
Note that if sshd doesn't use PAM, it won't have any effect for ssh
logins.
A quick search doesn't show me any port for enforcing password age.
For what it's worth, I once emailed Bruce Schneier about the
effectiveness of that and he said he never changed his passwords
(based on age, anyway). But there's probably something.
More information about the freebsd-security
mailing list