login.conf: passwordtime not enforced?

Thu Jul 15 18:01:12 UTC 2010

On 7/14/10, Fernan Aguero <fernan.aguero at gmail.com> wrote:
> On Wed, Jul 14, 2010 at 1:25 PM, b. f. <bf1783 at googlemail.com> wrote:
>> On 7/14/10, Fernan Aguero <fernan.aguero at gmail.com> wrote:
...
>> The first time you have to change it manually for each account, with
>> passwd(1);
>
> Sorry if I'm getting dense but do you mean 'manually' as in editing
> master.passwd with vipw?
> Or do you really mean 'manually with passwd(1)? My passwd(1) only
> allows me to change the user password and even doing this doesn't
> update the expiration time in master.passwd. Is there a hidden
> functionality in passwd that allows me to set the expiration time for
> the password?

Yes, I meant with passwd(1).  After some preliminaries, passwd(1)
hands the task over to pam(3), in particular pam_sm_chauthtok(3) of
pam_unix(8). This in turn uses the pw_* routines of libutil, contained
in /usr/src/lib/libutil/pw_util.c.  The pw_* use various libc
functions and pwd_mkdb(8). The handling of the reserved capabilities
minpasswordlen,
mixpasswordcase, passwordtime, etc. needs at least to be in pam(3),
for when you are prompted to reset your password, and should probably
be implemented in the other utilities that don't use pam(3), like
chpass(1),  pw(8), and the vipw(8) consistency checks.  It looks like
passwd(1) used to deal with these capabilities directly, but in April
2002 it was gutted and turned into a front-end for pam(3), and some of
the options-handling fell by the wayside.  In Feb. 2010, in response
to

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=bin/93310

des@, who is responsible for pam(3), added passwordtime-handling in:

http://svn.freebsd.org/viewvc/base?view=revision&revision=203377

At the time, he announced that it would be merged, at least into
8-STABLE (and subsequently into 8.1), in one week.  He never performed
this merge: I assume that he forgot.  So unfortunately it looks as if
you will have to manually set password expiration times.  You could do
this, for example,  with vipw(8); or with pw(8) and either a -p
argument or a password_days entry in pw.conf(5). Or you could add the
patch from the above PR to your system pam_unix(8) sources and rebuild
them, or update to 9-CURRENT (which is what I am using).

I'm guessing that some of the other reserved options are neglected as
well.  You could enforce them manually, or patch pam_unix(8),
chpass(1),  pw(8), and vipw(8).  If you do so, you should submit PRs
with your patches, in the hopes that someone will reintroduce them
into the base-system utilities.  Ironically, the stripped-down
/usr/src/release/picobsd/tinyware/passwd/local_passwd.c still handles
some of them -- you could look at that for ideas.

Incidentally, If I were you, I would update at least to the latest
stable release of FreeBSD, unless you are constrained to use the
earlier releases for some work-related reason.

b.