<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Tim A. wrote:
<blockquote cite="mid:48162495.9060304@goldenpath.org" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
Tim A. wrote:
<blockquote cite="mid:481512B3.3000603@goldenpath.org" type="cite">
<pre wrap="">Tim A. wrote:
</pre>
<blockquote type="cite">
<pre wrap="">George Rosamond wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Tim A. wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Brian A. Seklecki wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Fri, 25 Apr 2008, Tim A. wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Internal FreeBSD server, no outside access.
</pre>
</blockquote>
<pre wrap="">pw(8) and login.conf(8). You can expire passwords and accounts
after X-days.
</pre>
</blockquote>
<pre wrap="">Thanks. I got it. Just expire a password:
$ pw moduser theuser -p `date`
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Is there anything else that does this?
Also, is there someway to require a certain level of password
complexity?
</pre>
</blockquote>
<pre wrap="">For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords
using a custom filter, but I have found that 2-factor authentication
is much more successful than strong passwords (which just encourage
people to write them down)
For this, you can use something like Entrust IdentityGuard, in
combination with pam_radius (with fallback to pam_ldap), for
two-factor authentication (grid cards, FOBs), OTP password lists,
etc...
~BAS
</pre>
</blockquote>
<pre wrap="">Again, thanks. I'll check that out. 2-factor authentication sounds
like a good idea.
In login.conf man page I found minpasswordlen, which unfortunately
didn't work. Then I noticed a reference to pam_passwdqc superseding
minpasswordlen option.
I added this line to /etc/pam.d/passwd
password requisite pam_passwdqc.so
min=disabled,6 match=4 similar=deny enforce=users
Under the impression that it would disallow passwords of a single
character class (like, all letters or all numbers), require at least
6 characters from at least 2 character classes, and match up to 4 of
those in comparing for similarity to the previous password and deny
if found, and enforce this policy for users.
As a user, it does prompt and warn, but it's not enforcing. If I
persist in attempting to set a password that violates that policy, it
prompts a second time but then gives up and allows it.
Is this normal? Have I done something wrong?
</pre>
</blockquote>
<pre wrap="">cap_mkdb /etc/login.conf ?
g
</pre>
</blockquote>
<pre wrap="">Yes. I did that after trying the minpasswordlen. Didn't work, and that's
when I found pam_passwdqc.
It was not mentioned as required after pam_passwdqc change, is it?
</pre>
</blockquote>
<pre wrap=""><!---->Done. Works. Thanks.
Still gives back
passwd: pam_chauthtok(): authentication token failure
Is there a way to shut that up?
But it does enforce now.
So, making changes to /etc/pam.d/passwd also requires cap_mkdb
/etc/login.conf
You'd think they would have mentioned that in the man page.</pre>
</blockquote>
<br>
It works when calling passwd directly.<br>
But it won't enforce when prompted on first login via ssh.<br>
<br>
I've added pam_passwdqc line to /etc/pam.d/sshd<br>
<br>
Am I supposed to rebuild something after changing that too?<br>
<pre wrap="">
<hr size="4" width="90%"></pre>
</blockquote>
<br>
Well, I learned a lot about PAM. It's pretty cool.<br>
<br>
I still can't get pam_passwdqc to enforce on expired passwords being
renewed via ssh logins though.<br>
<br>
I've added:<br>
<tt>password requisite pam_passwdqc.so
enforce=users<br>
<br>
to the seemingly obvious service files:<br>
/etc/pam.d/passwd</tt><tt><br>
/etc/pam.d/login</tt><br>
<tt>/etc/pam.d/sshd<br>
</tt><tt>/etc/pam.d/system<br>
<br>
I ran strace on the sshd pid, reset and expired a pass, then connected.<br>
strace pauses at the password prompt though, and doesn't continue until
after the password has been changed.<br>
The output does not indicate that passwd is being called.<br>
So, I'm guessing:<br>
something else is being used to call passwd?<br>
some other system utility is being used to change the password other
than passwd?<br>
<br>
<br>
Something weird is going on.<br>
As far as I can tell, I've made the appropriate changes to enforce this.<br>
<br>
>From reading up on PAM, I'm guessing there are other pam modules I can
use to do this and more.<br>
<br>
I just figured I should try to make the default system modules work the
way their supposed to before I go digging around in the ports tree to
do something that seems like it should be really simple and standard.<br>
<br>
Maybe I'm just screwing it up. idk.<br>
</tt>
</body>
</html>