Dear FreeBsd gurus, I have a problem concerning users password and authentication policies. The goal is 1)make freebsd to lock users after 3 unsuccessful login attempts, 2)force users to change their passwords every 90 days I've done such changes in Linux distros, with various PAM modules.But in Freebsd it seems that i need to use login.conf file. Here I made necessary changes in that file: >>>>>> default:\ ............. ............. ............. :login-retries=1:\ :passwordtime=90d:\ :warnpassword=7d:\ :warnexpire=7d:\ >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd file. The fields which are reserved for password aging parameters are 0:0 test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are welcome. Thank You Khachatur Shahinyan
On Sat, Sep 13, 2008 at 10:42:06AM +0500, Khachatur Shahinyan wrote:> :passwordtime=90d:\ > :warnpassword=7d:\ > :warnexpire=7d:\ > >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd > file. > The fields which are reserved for password aging parameters are 0:0 > test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh > > And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( > I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are > welcome.You'll notice in the login.conf man page that these are in the "reserved capabilities" section: RESERVED CAPABILITIES The following capabilities are reserved for the purposes indicated and may be supported by third-party software. They are not implemented in the base system. For blocking repeated password attempts, check out security/pam_abl. Note that if sshd doesn't use PAM, it won't have any effect for ssh logins. A quick search doesn't show me any port for enforcing password age. For what it's worth, I once emailed Bruce Schneier about the effectiveness of that and he said he never changed his passwords (based on age, anyway). But there's probably something.
On Sat, Sep 13, 2008 at 12:42 AM, Khachatur Shahinyan <khachatur.shahinyan@arca.am> wrote:> > Dear FreeBsd gurus, I have a problem concerning users password and authentication policies. The goal is > 1)make freebsd to lock users after 3 unsuccessful login attempts, > 2)force users to change their passwords every 90 days > > I've done such changes in Linux distros, with various PAM modules.But in Freebsd it seems that i need to use login.conf file. Here I made necessary changes in that file: > >>>>>> > default:\ > ............. > ............. > ............. :login-retries=1:\ > :passwordtime=90d:\ > :warnpassword=7d:\ > :warnexpire=7d:\ > >>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, no error messages, but after adding a test user I see no changes in the master.passwd file. > The fields which are reserved for password aging parameters are 0:0 > test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User &:/home/test:/bin/sh > > And the locking point does not work either, e.g. no matter how many times I input wrong password, I'm still able to login. :( > I cannot understand what I'm doing wrong, and what should be done solve this issues? I'm not an expert Freebsd administration, so any comments and suggestions are welcome.login.conf manual page: [1] RESERVED CAPABILITIES The following capabilities are reserved for the purposes indicated and may be supported by third-party software. They are not implemented in the base system. [...] passwordtime time Used by passwd(1) to set next pass- word expiry date. [...] The other capabilities (warnpassword, warnexpire, login-retries) do not relate to lock-outs attempts. To my knowledge, there are no other capabilities that are supported by the base in login.conf that will lock out an account. This has been discussed prior [2,3]. It is not available in the base; the administrator has to manually do this. [1] http://www.freebsd.org/cgi/man.cgi?query=login.conf&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html [2] http://lists.freebsd.org/pipermail/freebsd-questions/2003-August/015073.html [3] http://lists.freebsd.org/pipermail/freebsd-questions/2008-February/167981.html Cheers, Jon
Yes, pam_abl is the correct pam module to solve this problem. After reading its manual i was able to lock users and log the authentication failures. Thank You for help. But the password expiration and warning issues are still open. Thank You Khachatur Shahinyan Tom Rhodes wrote:> On Sat, 13 Sep 2008 15:26:10 +0500 > Khachatur Shahinyan <khachatur.shahinyan@arca.am> wrote: > > >> Tom Rhodes wrote: >> >>> On Sat, 13 Sep 2008 11:35:21 +0500 >>> Khachatur Shahinyan <khachatur.shahinyan@arca.am> wrote: >>> >>> >>> >>>> Tom Rhodes wrote: >>>> >>>> >>>>> On Sat, 13 Sep 2008 10:42:06 +0500 >>>>> Khachatur Shahinyan <khachatur.shahinyan@arca.am> wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> Dear FreeBsd gurus, I have a problem concerning users password and >>>>>> authentication policies. The goal is >>>>>> 1)make freebsd to lock users after 3 unsuccessful login attempts, >>>>>> 2)force users to change their passwords every 90 days >>>>>> >>>>>> I've done such changes in Linux distros, with various PAM modules.But in >>>>>> Freebsd it seems that i need to use login.conf file. Here I made >>>>>> necessary changes in that file: >>>>>> >>>>>> >>>>>> default:\ >>>>>> ............. >>>>>> ............. >>>>>> ............. :login-retries=1:\ >>>>>> :passwordtime=90d:\ >>>>>> :warnpassword=7d:\ >>>>>> :warnexpire=7d:\ >>>>>> >>>>>>> >>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, >>>>>> no error messages, but after adding a test user I see no changes in the >>>>>> master.passwd file. >>>>>> The fields which are reserved for password aging parameters are 0:0 >>>>>> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User >>>>>> &:/home/test:/bin/sh >>>>>> >>>>>> And the locking point does not work either, e.g. no matter how many >>>>>> times I input wrong password, I'm still able to login. :( >>>>>> I cannot understand what I'm doing wrong, and what should be done solve >>>>>> this issues? I'm not an expert Freebsd administration, so any comments >>>>>> and suggestions are welcome. >>>>>> >>>>>> >>>>>> >>>>> You should be able to set these via the pw(8) utility. >>>>> >>>>> >>>>> >>>>> >>>> Thank You for fast reply. >>>> >>>> Yes, some settings can be done via "pw", but it does not support auto >>>> locking. >>>> >>>> >>>> >>>> >>> I'm about to be going to bed soon, but how did you accomplish >>> this in Linux? We have PAM configuration in /etc/pam.d, you >>> may wish to look there. >>> >>> >>> >> We have few Redhat Linux machines, and solved this problem with faillog >> (http://linux.die.net/man/8/faillog), and pam tally >> (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html). >> It took over 30 minutes to fully configure the system. But in case of >> FreeBsd, it does not seem to be that easy :) >> >> > > Someone mentioned this port: > > security/pam_abl > > The description of this pam module is: > > localhost# cat /usr/ports/security/pam_abl/pkg-descr > The pam_abl provides auto blacklisting of hosts and users > responsible for repeated failed authentication attempts. > > WWW: http://www.hexten.net/pam_abl/ > > Which sounds interesting and most likely do what you want. > >