password expiry

Matthew Seaman m.seaman at
Thu May 13 06:34:38 PDT 2004

On Thu, May 13, 2004 at 01:22:45PM +0200, Piotr Gnyp wrote:
> On Thu, 13 May 2004, Matthew Seaman <m.seaman at> wrote:
> > On Thu, May 13, 2004 at 12:59:58PM +0200, Piotr Gnyp wrote:
> > > I`m trying to set password expiry for users, I`ve changed login.conf to:
> > >         :minpasswordlen=6:\
> > >         :passwordtime=30d:\
> > >         :warnpassword=1w:\
> > > But it doesn`t seem to work. What I`m missing, or where I will find the
> > > answer. Plase advice.
> >     # cap_mkdb /etc/login.conf
> > perhaps?  Remember too that login.conf is only consulted at login
> > time, so you have to log out and back in again in order to see any
> > effects.
> done that, and also I`ve added to sshd_conf:
> UseLogin yes
> And no effect.
> Tried on 5.2.1-R-p6 and 4.10-PRER.

Ah... so you're using sshd(8).  You didn't happen to mention that
rather relevant information before.  Can you try logging in on the
console to test your changes?  If login.conf settings work on the
console then sshd is the problem.  Otherwise, it's the login.conf
stuff itself which is at fault.

sshd(8) defaults to trying it's own key based authentication and then
backing off to the standard PAM system to do user authentication --
see the ChallengResponseAuthentication entry in sshd_config(5).  At
the moment the default value of the relevant bit in /etc/pam.conf (4.x
-- not sure what 5.x uses) is:

    sshd    account required

and if you check the source code for the pam_sm_acct_mgmt() function
of in /usr/src/lib/libpam/modules/pam_unix/pam_unix.c you
can see that the login.conf settings are checked when the session is
authenticated using Unix passwords.  OTOH if you're using ssh keys it
doesn't seem to check that way.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP:         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list