auto expire user password

andrian

Active Member

Reaction score: 7
Messages: 153

Hi. Please tell me how I can implement the automatic expire of the user's password on the FreeBSD system. For example, the user has to change the password every 90 days.
I need to write a script or such functionality is present in the system?
 

xtaz

Well-Known Member

Reaction score: 135
Messages: 464

Note that this will usually make the password less secure and isn't generally recommended these days. It just encourages users to make their passwords things like password1, password2, password3 etc. Better to have a long passphrase like correcthorsebatterystaple and not force it to be changed all the time. https://www.xkcd.com/936/
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,185
Messages: 35,689

Note that this will usually make the password less secure and isn't generally recommended these days.
While I certainly agree with this it's usually set in some security policy and you just have to follow that.

It just encourages users to make their passwords things like password1, password2, password3 etc.
You can prevent this from happening by using pam_passwdqc(8):
Code:
     similar=permit|deny
             (similar=deny) Whether a new password is allowed to be similar to
             the old one.  The passwords are considered to be similar when
             there is a sufficiently long common substring and the new
             password with the substring removed would be weak.
There are still ways to make similarly looking passwords but at least it will prevent some of the obvious ones.
 

T-Daemon

Daemon

Reaction score: 621
Messages: 1,309

You can prevent this from happening by using pam_passwdqc(8):
Code:
     similar=permit|deny
             (similar=deny) Whether a new password is allowed to be similar to
             the old one.  The passwords are considered to be similar when
             there is a sufficiently long common substring and the new
             password with the substring removed would be weak.
Looking where to set that option I was made aware by pam.conf(5) of /etc/pam.d/service-name, in this case of interest service-name /etc/pam.d/passwd.

How should options beloning to pam_passwdqc(8) be set? By commenting out the line #passwd requisite pam_passwdqc.so ... and add the options there besides module pam_unix.so, or comment pam_unix.so, having pam_passwdqc.so module alone? And how should the control-flag be set, requisite or required?
 

anbj

Member

Reaction score: 1
Messages: 26

andrian,

This is a late answer, but I want to resurrect this thread in case you're still having trouble or if anyone else is having the same problem. I've struggled with the same, and my findings are:

* choose the appropriate :passwordtime:, in your case, :passwordtime=90d: and add it to the wanted class in /etc/login.conf.
* run doas cap_mkdb /etc/login.conf

Now, in order for the expiry to get going, you first have to manually change the password; this may be done with passwd, chpass, pw or vipw.

An expiry will not be set automatically for any user added after adding :passwordtime: to /etc/login.conf. You still need to change the password before (perodic) expiry is enabled.

A bug or feature? I dont know. To me it's a bug.
 
Top