password againg and other policy enforcement
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sat Jun 30 20:15:14 UTC 2007
Patrick, good day.
Sat, Jun 30, 2007 at 10:12:59AM -0700, Patrick Dung wrote:
> 1. Administrator can enforce password expire in /etc/login.conf
In the /etc/master.passwd. login.conf has the fields, but does
not implement the functionality, if the manpage is right:
=====
RESERVED CAPABILITIES
The following capabilities are reserved for the purposes indicated and
may be supported by third-party software. They are not implemented in
the base system.
Name Type Notes Description
<...>
expireperiod time Time for expiry allocation.
graceexpire time Grace days for expired account.
=====
But the following fields are working:
> Is there any tool that can check when the password will expire for the
> users?
Yep,
=====
$ LANG=C date -r `pw showuser <username_here> | cut -d: -f 6`
Tue Jan 20 00:00:00 MSK 2009
$ LANG=C date -r `pw showuser <username_here> | cut -d: -f 7`
Sat Feb 28 00:00:00 MSK 2009
====
> 2. Any good way to enforce minimum password length and other
> restriction(like password need at least 2 numbers, 2 special char)?
>
> 3. Any ways to prevent user reuse old password?
man pam_passwdqc, search for the 'match' and 'similar'.
But for the '3.': user still can change his password to something
and immediately bounce back to the old password. The longer password
history changes the chain length, but does not solve the problem
completely. The complete password history can help, but it is out
of the passwdqc's scope: it just checks against the current password.
--
Eygene
More information about the freebsd-questions
mailing list