[nycbug-talk] Change password at next login?

George Rosamond george at ceetonetechnology.com
Sun Apr 27 15:47:41 EDT 2008


Tim A. wrote:
> Brian A. Seklecki wrote:
>> On Fri, 25 Apr 2008, Tim A. wrote:
>>
>>> Internal FreeBSD server, no outside access.
>> pw(8) and login.conf(8).  You can expire passwords and accounts after 
>> X-days.
> 
> Thanks. I got it. Just expire a password:
> $ pw moduser theuser -p `date`
> 
>>> Is there anything else that does this?
>>>
>>> Also, is there someway to require a certain level of password 
>>> complexity?
>> For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords using 
>> a custom filter, but I have found that 2-factor authentication is much 
>> more successful than strong passwords (which just encourage people to 
>> write them down)
>>
>> For this, you can use something like Entrust IdentityGuard, in 
>> combination with pam_radius (with fallback to pam_ldap), for 
>> two-factor authentication (grid cards, FOBs), OTP password lists, etc...
>>
>> ~BAS
> 
> Again, thanks. I'll check that out. 2-factor authentication sounds like 
> a good idea.
> 
> In login.conf man page I found minpasswordlen, which unfortunately 
> didn't work. Then I noticed a reference to pam_passwdqc superseding 
> minpasswordlen option.
> 
> I added this line to /etc/pam.d/passwd
> password        requisite        pam_passwdqc.so         min=disabled,6 
> match=4 similar=deny enforce=users
> 
> Under the impression that it would disallow passwords of  a single 
> character class (like, all letters or all numbers), require at least 6 
> characters from at least 2 character classes, and match up to 4 of those 
> in comparing for similarity to the previous password and deny if found, 
> and enforce this policy for users.
> 
> As a user, it does prompt and warn, but it's not enforcing. If I persist 
> in attempting to set a password that violates that policy, it prompts a 
> second time but then gives up and allows it.
> 
> Is this normal? Have I done something wrong?
> 

cap_mkdb /etc/login.conf ?

g



More information about the talk mailing list