[nycbug-talk] Change password at next login?
george at ceetonetechnology.com
Sun Apr 27 15:47:41 EDT 2008
Tim A. wrote:
> Brian A. Seklecki wrote:
>> On Fri, 25 Apr 2008, Tim A. wrote:
>>> Internal FreeBSD server, no outside access.
>> pw(8) and login.conf(8). You can expire passwords and accounts after
> Thanks. I got it. Just expire a password:
> $ pw moduser theuser -p `date`
>>> Is there anything else that does this?
>>> Also, is there someway to require a certain level of password
>> For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords using
>> a custom filter, but I have found that 2-factor authentication is much
>> more successful than strong passwords (which just encourage people to
>> write them down)
>> For this, you can use something like Entrust IdentityGuard, in
>> combination with pam_radius (with fallback to pam_ldap), for
>> two-factor authentication (grid cards, FOBs), OTP password lists, etc...
> Again, thanks. I'll check that out. 2-factor authentication sounds like
> a good idea.
> In login.conf man page I found minpasswordlen, which unfortunately
> didn't work. Then I noticed a reference to pam_passwdqc superseding
> minpasswordlen option.
> I added this line to /etc/pam.d/passwd
> password requisite pam_passwdqc.so min=disabled,6
> match=4 similar=deny enforce=users
> Under the impression that it would disallow passwords of a single
> character class (like, all letters or all numbers), require at least 6
> characters from at least 2 character classes, and match up to 4 of those
> in comparing for similarity to the previous password and deny if found,
> and enforce this policy for users.
> As a user, it does prompt and warn, but it's not enforcing. If I persist
> in attempting to set a password that violates that policy, it prompts a
> second time but then gives up and allows it.
> Is this normal? Have I done something wrong?
cap_mkdb /etc/login.conf ?
More information about the talk