warnpassword=
in /etc/login.conf. login.conf(5)While I certainly agree with this it's usually set in some security policy and you just have to follow that.Note that this will usually make the password less secure and isn't generally recommended these days.
You can prevent this from happening by using pam_passwdqc(8):It just encourages users to make their passwords things like password1, password2, password3 etc.
similar=permit|deny
(similar=deny) Whether a new password is allowed to be similar to
the old one. The passwords are considered to be similar when
there is a sufficiently long common substring and the new
password with the substring removed would be weak.
Looking where to set that option I was made aware by pam.conf(5) of /etc/pam.d/service-name, in this case of interest service-name /etc/pam.d/passwd.You can prevent this from happening by using pam_passwdqc(8):
Code:similar=permit|deny (similar=deny) Whether a new password is allowed to be similar to the old one. The passwords are considered to be similar when there is a sufficiently long common substring and the new password with the substring removed would be weak.
#passwd requisite pam_passwdqc.so ...
and add the options there besides module pam_unix.so
, or comment pam_unix.so
, having pam_passwdqc.so
module alone? And how should the control-flag be set, requisite
or required
?:passwordtime:
, in your case, :passwordtime=90d:
and add it to the wanted class in /etc/login.conf.
doas cap_mkdb /etc/login.conf
passwd
, chpass
, pw
or vipw
.:passwordtime:
to /etc/login.conf
. You still need to change the password before (perodic) expiry is enabled.