Re: password againg and other policy enforcement
Me again. Forgot to finish the sentence, sorry. Sat, Jun 30, 2007 at 11:59:49PM +0400, Eygene Ryabinkin wrote: > > 1. Administrator can enforce password expire in /etc/login.conf > > In the /etc/master.passwd. login.conf has the fields, but does > not implement the functionality, if the manpage is right: > = > RESERVED CAPABILITIES > The following capabilities are reserved for the purposes indicated and > may be supported by third-party software. They are not implemented in > the base system. > > Name Type Notes Description > <...> > expireperiod timeTime for expiry allocation. > graceexpire timeGrace days for expired account. > = > But the following fields are working: = warnexpire timeAdvance notice for pending account expiry. warnpassword timeAdvance notice for pending password expiry. = So this can provide some warnings to the user when it logs in. -- Eygene ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: password againg and other policy enforcement
Patrick, good day. Sat, Jun 30, 2007 at 10:12:59AM -0700, Patrick Dung wrote: > 1. Administrator can enforce password expire in /etc/login.conf In the /etc/master.passwd. login.conf has the fields, but does not implement the functionality, if the manpage is right: = RESERVED CAPABILITIES The following capabilities are reserved for the purposes indicated and may be supported by third-party software. They are not implemented in the base system. Name Type Notes Description <...> expireperiod timeTime for expiry allocation. graceexpire timeGrace days for expired account. = But the following fields are working: > Is there any tool that can check when the password will expire for the > users? Yep, = $ LANG=C date -r `pw showuser | cut -d: -f 6` Tue Jan 20 00:00:00 MSK 2009 $ LANG=C date -r `pw showuser | cut -d: -f 7` Sat Feb 28 00:00:00 MSK 2009 > 2. Any good way to enforce minimum password length and other > restriction(like password need at least 2 numbers, 2 special char)? > > 3. Any ways to prevent user reuse old password? man pam_passwdqc, search for the 'match' and 'similar'. But for the '3.': user still can change his password to something and immediately bounce back to the old password. The longer password history changes the chain length, but does not solve the problem completely. The complete password history can help, but it is out of the passwdqc's scope: it just checks against the current password. -- Eygene ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: password againg and other policy enforcement
Thanks for reply. pam_passwdqc has feature to enforce min password length, and the combination. Also it can check the similarity with the current and new password. But tools to check when users password will expire is missing. Also it cannot keep password history (password that the user had used). The user can use password A, then user change to password B and then change back to password A... Regards Patrick --- Manolis Kiagias <[EMAIL PROTECTED]> wrote: > Patrick Dung wrote: > > I have some question about password policy in FreeBSD: > > > > 1. Administrator can enforce password expire in /etc/login.conf > > Is there any tool that can check when the password will expire for > the > > users? > > > > 2. Any good way to enforce minimum password length and other > > restriction(like password need at least 2 numbers, 2 special char)? > > > > 3. Any ways to prevent user reuse old password? > > > > Regards > > Patrick > > > These options have been moved to PAM (Pluggable Authentication > Modules). > Have a look at /etc/pam.d > You will find a file called passwd > Edit it and uncomment the line: > > passwordrequisite pam_passwdqc.so > > Change the options you require per the manual page > > (man 8 pam_passwdqc) > > A lot of restrictions can be placed on the password (history, > complexity, number of chars / symbols and so on). > > Manolis > > Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: password againg and other policy enforcement
Patrick Dung wrote: > I have some question about password policy in FreeBSD: > > 1. Administrator can enforce password expire in /etc/login.conf > Is there any tool that can check when the password will expire for the > users? > > 2. Any good way to enforce minimum password length and other > restriction(like password need at least 2 numbers, 2 special char)? > > 3. Any ways to prevent user reuse old password? > > Regards > Patrick > These options have been moved to PAM (Pluggable Authentication Modules). Have a look at /etc/pam.d You will find a file called passwd Edit it and uncomment the line: passwordrequisite pam_passwdqc.so Change the options you require per the manual page (man 8 pam_passwdqc) A lot of restrictions can be placed on the password (history, complexity, number of chars / symbols and so on). Manolis ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
password againg and other policy enforcement
I have some question about password policy in FreeBSD: 1. Administrator can enforce password expire in /etc/login.conf Is there any tool that can check when the password will expire for the users? 2. Any good way to enforce minimum password length and other restriction(like password need at least 2 numbers, 2 special char)? 3. Any ways to prevent user reuse old password? Regards Patrick Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center. http://autos.yahoo.com/green_center/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
