login.conf: passwordtime not enforced?

b. f. bf1783 at googlemail.com
Wed Jul 14 01:19:49 UTC 2010

>after reading some docs about hardening freebsd installations, I
> decided to enforce password expiration after 90days. I've added the
> corresponding line to /etc/login.conf and ... after quite some time
> (way more than 3 months already!) nothing happens ...

If you want help, you'll have to be more specific.  Exactly what
changes did you make to login.conf, in what sections?  Did you run
'cap_mkdb /etc/login.conf' afterwards?  Did you then reset your
account passwords and check the sixth colon-delimited field in
/etc/master.passwd with 'date -r' for each account changed, to see if
the appropriate expiration date was registered?  Next time you make a
change like this, test it with a short expiration time (a minute or
two, say) on a non-critical account to see if works instead of waiting
three months to discover that it does not.

> Any ideas on how to enforce this? Do I have to manually use pw(1) every 90 days?

No, you shouldn't have to if you use the feature properly.  You'll be
prompted immediately after login for a new password if your old one
has expired.


More information about the freebsd-questions mailing list