DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th November 2008
awyeah awyeah is offline
New User
 
Join Date: Nov 2008
Posts: 4
Thanked 0 Times in 0 Posts
Default PAM and passwordtime?

According to my research... nobody seems to care that automatic password expiration is broken in FreeBSD. Notice that even when you set passwordtime in login.conf (and run cap_mkdb of course), you change your password and it doesn't update the expiry time in master.passwd.

Is there some workaround that people are using, or does nobody care?

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 7th November 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

Check the entry using vipw and see if that says different. I can't find anything in login.conf's man page that indicates this should work. 'passwordtime' is not used by the 'base system', but should be used by passwd.

http://www.freebsd.org/cgi/man.cgi?q...SE&format=html

http://www.freebsd.org/cgi/man.cgi?q...SD+7.0-RELEASE
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #3   (View Single Post)  
Old 7th November 2008
awyeah awyeah is offline
New User
 
Join Date: Nov 2008
Posts: 4
Thanked 0 Times in 0 Posts
Default

Actually, it turns out there's a couple of PRs open for this, and they're a couple of years old.

I'm wondering if there's an alternative that people are using?
Reply With Quote
  #4   (View Single Post)  
Old 7th November 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

There appears to be a few patches, though they haven't been checked in yet. They are a few years old, so they may or may not work, but you can try them out and see if they work for you:

http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/93473
http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/93310

If nothing else, you can try emailing the appropriate parties to get the patches (or a patch) checked in.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!

Last edited by cajunman4life; 7th November 2008 at 02:48 AM.
Reply With Quote
  #5   (View Single Post)  
Old 10th November 2008
ddekok ddekok is offline
Port Guard
 
Join Date: May 2008
Posts: 38
Thanked 4 Times in 3 Posts
Default

I just tried this on my system and it works. This may be due to the fact I use blowfish for my password format.

The default class from /etc/login.conf
Note that only passwd_format and and passwordtime have been changed.

Code:
default:\
	:passwd_format=blf:\
	:passwordtime=60d:\
	:copyright=/etc/COPYRIGHT:\
	:welcome=/etc/motd:\
	:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
	:path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin ~/bin:\
	:nologin=/var/run/nologin:\
	:cputime=unlimited:\
	:datasize=unlimited:\
	:stacksize=unlimited:\
	:memorylocked=unlimited:\
	:memoryuse=unlimited:\
	:filesize=unlimited:\
	:coredumpsize=unlimited:\
	:openfiles=unlimited:\
	:maxproc=unlimited:\
	:sbsize=unlimited:\
	:vmemoryuse=unlimited:\
	:priority=0:\
	:ignoretime@:\
	:umask=022:
Rebuild the login.conf database and update your password.

# cap_mkdb /etc/login.conf
% passwd

Then, to test the expiration, change the password expiration on your account

# pw usermod YOU -p 10-11-2008

Logout and then log back in. Hopefully you will be prompted to enter a new password.

I am assuming it is my passwd_format selection that allows me to do this. After I ran the above commands, I did see a timestamp in the password field of my user in /etc/master.passwd, and `date -r blah` confirmed it was the same date I set my password expiration to.

Last edited by ddekok; 10th November 2008 at 11:46 PM. Reason: Removed reference to pam_passwdqc as I confirmed that had nothing to do with my results
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:22 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick