Password aging

Allen, Jack Jack.Allen at McKesson.com
Thu Aug 18 20:20:41 UTC 2005



-----Original Message-----
From: Allen, Jack [mailto:Jack.Allen at McKesson.com] 
Sent: Thursday, August 18, 2005 3:48 PM
To: 'Getting started with Red Hat Linux'
Subject: RE: Password aging




-----Original Message-----
From: Rick Stevens [mailto:rstevens at vitalstream.com] 
Sent: Thursday, August 18, 2005 1:22 PM
To: Getting started with Red Hat Linux
Subject: Re: Password aging


Allen, Jack wrote:
> 
> -----Original Message-----
> From: Rick Stevens [mailto:rstevens at vitalstream.com] 
> Sent: Thursday, August 18, 2005 12:07 PM
> To: Getting started with Red Hat Linux
> Subject: Re: Password aging
> 
> 
> Allen, Jack wrote:
> 
>>-----Original Message-----
>>From: jludwig [mailto:wralphie at comcast.net] 
>>Sent: Wednesday, August 17, 2005 8:21 PM
>>To: Getting started with Red Hat Linux
>>Subject: Re: Password aging
>>
>>
>>On Wednesday 17 August 2005 06:46 pm, Allen, Jack wrote:
>>
>>
>>>I have AS 4 64 bit installed. I have tried to enable password aging, but
>>>can not get it to work. I have used the chage command to change the
>>>expiration day. I can show it should have expired by doing "chage -l
>>>login_name". When I login I do not get a warning, and I am not asked to
>>>change my password. Is there some other configuration file that needs to
>>>be changed to enable it? The system is configured with shadow and md5
>>>encryption.
>>
>>
>>From;
>>man chage
>>
>>       The  -E  option is used to set a date on which the user's account
>>will 
>>no longer be accessible.  The expiredate option is the number of days
> 
> since
> 
>>January 1, 1970 on which the accounted is locked.  The date may also be 
>>expressed in the format YYYY-MM-DD (or the format more  commonly  used  in
>> your area).  A user whose account is locked must contact the system 
>>administrator before being able to use the system again.
>>
>>Did you set this?
>>
>>	I am not trying to lock the account. I am trying to force the user
>>to change their password after a certain number of days. You know company
>>rules. What should be happening is the user connects to the system,
> 
> provides
> 
>>their login name and then gets prompted for their password. After they
> 
> enter
> 
>>the password they should get a message that their password has expired and
>>please enter a new one. In other words it would be like they got logged in
>>and received a message to change their password and they entered "passwd".
> 
> 
> You need to set the "-W n" (warn days) option to chage.  In other words,
> to set a user's account to expire on September 1, 2005, and warn them
> for 7 days previous, the chage command would be:
> 
>      # chage -E 2005-09-01 -W 7 username
> 
> 
>>	I assume it is the login program that handles this by what it finds
>>in the shadow file. I have also looked for configuration options for
> 
> login,
> 
>>to try and determine if it should be paying any attention to the aging
>>information in the shadow file. I could not find anything. I have even
>>looked a PAM and found /etc/pam.d/login. But I determined by looking at
> 
> the
> 
>>last accessed time on the file that it was not being accessed when I
> 
> tested
> 
>>logging in. So I am still looking for what controls making the user change
>>their password after some number of days.
> 
> 
> That's the "-M" option.  Here's a form I use a lot and sets the
> following criteria:
> 
>      Disable an account after 60 days of inactivity
>      Allow a user to change passwords whenever they want
>      Force a password change every 30 days
>      Warn the user for 7 days to change their password
> 
> The corresponding chage command is:
> 
>      # chage -I 60 -m 0 -M 30 -W 7 username
> 
> You do know that chage will run in interactive mode if you don't specify
> any options, e.g.
> 
>      # chage username
> 
> =============
> This is the settings for user white3. When I connect I enter the login
name
> and then the password and get the shell prompt. It never warns me the
> password will or has expired. So what am I missing? As I asked earlier,
> exactly what program is suppose to be checking the values? I assume login,
> maybe using one of the PAM configuration files.
> 
> Changing the aging information for white3
> Enter the new value, or press ENTER for the default
> 
>         Minimum Password Age [0]: 
>         Maximum Password Age [1]: 
>         Last Password Change (YYYY-MM-DD) [2005-08-15]: 
>         Password Expiration Warning [1]: 
>         Password Inactive [14]: 
>         Account Expiration Date (YYYY-MM-DD) [2005-08-22]:

Ok, it absolutely should work.  Have you run pwck?  Also verify that
/etc/shadow has all the fields filled in.
=============
Yes I have run pwck and it only complains about missing home directories.
Example:
user adm: directory /var/adm does not exist
user news: directory /etc/news does not exist
user uucp: directory /var/spool/uucp does not exist
user gopher: directory /var/gopher does not exist
user pcap: directory /var/arpwatch does not exist
pwck: no changes

Here is the line from shadow:
white3:$1$lI.dioGw$Y/tabLB8qA/sjexL.0JXZ.:13010:0:1:1:14:13017:

Thanks
Jack Allen

============
More information: If I "su - white3", then I am told the password has
expired (aged). If I "sshd -l white3 0", then I am told the same thing. All
my other testing has been done by "telnet 0" and entering the login name and
the password. I have done "ps -ef | grep login" when doing the sshd and
telnet and both are executing login. Therefore I have to assume login is
what should be using the shadow/aging information. But I can not figure out
why ssh works and telnet does not.

Thanks
Jack Allen




More information about the Redhat-install-list mailing list