[nycbug-talk] Change password at next login?

[Tim A.]

Brian A. Seklecki wrote:
>
> On Fri, 25 Apr 2008, Tim A. wrote:
>
>> Internal FreeBSD server, no outside access.
>
> pw(8) and login.conf(8).  You can expire passwords and accounts after 
> X-days.

Thanks. I got it. Just expire a password:
$ pw moduser theuser -p `date`

>
>> Is there anything else that does this?
>>
>> Also, is there someway to require a certain level of password 
>> complexity?
>
> For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords using 
> a custom filter, but I have found that 2-factor authentication is much 
> more successful than strong passwords (which just encourage people to 
> write them down)
>
> For this, you can use something like Entrust IdentityGuard, in 
> combination with pam_radius (with fallback to pam_ldap), for 
> two-factor authentication (grid cards, FOBs), OTP password lists, etc...
>
> ~BAS

Again, thanks. I'll check that out. 2-factor authentication sounds like 
a good idea.

In login.conf man page I found minpasswordlen, which unfortunately 
didn't work. Then I noticed a reference to pam_passwdqc superseding 
minpasswordlen option.

I added this line to /etc/pam.d/passwd
password        requisite        pam_passwdqc.so         min=disabled,6 
match=4 similar=deny enforce=users

Under the impression that it would disallow passwords of  a single 
character class (like, all letters or all numbers), require at least 6 
characters from at least 2 character classes, and match up to 4 of those 
in comparing for similarity to the previous password and deny if found, 
and enforce this policy for users.

As a user, it does prompt and warn, but it's not enforcing. If I persist 
in attempting to set a password that violates that policy, it prompts a 
second time but then gives up and allows it.

Is this normal? Have I done something wrong?

>
>> Of course, I'd prefer to setup some sort of ssh-key escrow management