password againg and other policy enforcement

Sat Jun 30 20:15:14 UTC 2007

Patrick, good day.

Sat, Jun 30, 2007 at 10:12:59AM -0700, Patrick Dung wrote:
> 1. Administrator can enforce password expire in /etc/login.conf

In the /etc/master.passwd. login.conf has the fields, but does
not implement the functionality, if the manpage is right:
=====
RESERVED CAPABILITIES
     The following capabilities are reserved for the purposes indicated and
     may be supported by third-party software.  They are not implemented in
     the base system.

     Name              Type      Notes     Description
<...>
     expireperiod      time                Time for expiry allocation.
     graceexpire       time                Grace days for expired account.
=====
But the following fields are working:

> Is there any tool that can check when the password will expire for the
> users?

Yep,
=====
$ LANG=C date -r `pw showuser <username_here> | cut -d: -f 6`
Tue Jan 20 00:00:00 MSK 2009

$ LANG=C date -r `pw showuser <username_here> | cut -d: -f 7`
Sat Feb 28 00:00:00 MSK 2009
====

> 2. Any good way to enforce minimum password length and other
> restriction(like password need at least 2 numbers, 2 special char)?
> 
> 3. Any ways to prevent user reuse old password?

man pam_passwdqc, search for the 'match' and 'similar'.

But for the '3.': user still can change his password to something
and immediately bounce back to the old password.  The longer password
history changes the chain length, but does not solve the problem
completely.  The complete password history can help, but it is out
of the passwdqc's scope: it just checks against the current password.
-- 
Eygene