Password aging
Rick Stevens
rstevens at vitalstream.com
Thu Aug 18 21:36:55 UTC 2005
Allen, Jack wrote:
>
> -----Original Message-----
> From: Allen, Jack [mailto:Jack.Allen at McKesson.com]
> Sent: Thursday, August 18, 2005 3:48 PM
> To: 'Getting started with Red Hat Linux'
> Subject: RE: Password aging
>
>
>
>
> -----Original Message-----
> From: Rick Stevens [mailto:rstevens at vitalstream.com]
> Sent: Thursday, August 18, 2005 1:22 PM
> To: Getting started with Red Hat Linux
> Subject: Re: Password aging
>
>
> Allen, Jack wrote:
>
>>-----Original Message-----
>>From: Rick Stevens [mailto:rstevens at vitalstream.com]
>>Sent: Thursday, August 18, 2005 12:07 PM
>>To: Getting started with Red Hat Linux
>>Subject: Re: Password aging
>>
>>
>>Allen, Jack wrote:
>>
>>
>>>-----Original Message-----
>>>From: jludwig [mailto:wralphie at comcast.net]
>>>Sent: Wednesday, August 17, 2005 8:21 PM
>>>To: Getting started with Red Hat Linux
>>>Subject: Re: Password aging
>>>
>>>
>>>On Wednesday 17 August 2005 06:46 pm, Allen, Jack wrote:
>>>
>>>
>>>
>>>>I have AS 4 64 bit installed. I have tried to enable password aging, but
>>>>can not get it to work. I have used the chage command to change the
>>>>expiration day. I can show it should have expired by doing "chage -l
>>>>login_name". When I login I do not get a warning, and I am not asked to
>>>>change my password. Is there some other configuration file that needs to
>>>>be changed to enable it? The system is configured with shadow and md5
>>>>encryption.
>>>
>>>
>>>From;
>>>man chage
>>>
>>> The -E option is used to set a date on which the user's account
>>>will
>>>no longer be accessible. The expiredate option is the number of days
>>
>>since
>>
>>
>>>January 1, 1970 on which the accounted is locked. The date may also be
>>>expressed in the format YYYY-MM-DD (or the format more commonly used in
>>>your area). A user whose account is locked must contact the system
>>>administrator before being able to use the system again.
>>>
>>>Did you set this?
>>>
>>> I am not trying to lock the account. I am trying to force the user
>>>to change their password after a certain number of days. You know company
>>>rules. What should be happening is the user connects to the system,
>>
>>provides
>>
>>
>>>their login name and then gets prompted for their password. After they
>>
>>enter
>>
>>
>>>the password they should get a message that their password has expired and
>>>please enter a new one. In other words it would be like they got logged in
>>>and received a message to change their password and they entered "passwd".
>>
>>
>>You need to set the "-W n" (warn days) option to chage. In other words,
>>to set a user's account to expire on September 1, 2005, and warn them
>>for 7 days previous, the chage command would be:
>>
>> # chage -E 2005-09-01 -W 7 username
>>
>>
>>
>>> I assume it is the login program that handles this by what it finds
>>>in the shadow file. I have also looked for configuration options for
>>
>>login,
>>
>>
>>>to try and determine if it should be paying any attention to the aging
>>>information in the shadow file. I could not find anything. I have even
>>>looked a PAM and found /etc/pam.d/login. But I determined by looking at
>>
>>the
>>
>>
>>>last accessed time on the file that it was not being accessed when I
>>
>>tested
>>
>>
>>>logging in. So I am still looking for what controls making the user change
>>>their password after some number of days.
>>
>>
>>That's the "-M" option. Here's a form I use a lot and sets the
>>following criteria:
>>
>> Disable an account after 60 days of inactivity
>> Allow a user to change passwords whenever they want
>> Force a password change every 30 days
>> Warn the user for 7 days to change their password
>>
>>The corresponding chage command is:
>>
>> # chage -I 60 -m 0 -M 30 -W 7 username
>>
>>You do know that chage will run in interactive mode if you don't specify
>>any options, e.g.
>>
>> # chage username
>>
>>=============
>>This is the settings for user white3. When I connect I enter the login
>
> name
>
>>and then the password and get the shell prompt. It never warns me the
>>password will or has expired. So what am I missing? As I asked earlier,
>>exactly what program is suppose to be checking the values? I assume login,
>>maybe using one of the PAM configuration files.
>>
>>Changing the aging information for white3
>>Enter the new value, or press ENTER for the default
>>
>> Minimum Password Age [0]:
>> Maximum Password Age [1]:
>> Last Password Change (YYYY-MM-DD) [2005-08-15]:
>> Password Expiration Warning [1]:
>> Password Inactive [14]:
>> Account Expiration Date (YYYY-MM-DD) [2005-08-22]:
>
>
> Ok, it absolutely should work. Have you run pwck? Also verify that
> /etc/shadow has all the fields filled in.
> =============
> Yes I have run pwck and it only complains about missing home directories.
> Example:
> user adm: directory /var/adm does not exist
> user news: directory /etc/news does not exist
> user uucp: directory /var/spool/uucp does not exist
> user gopher: directory /var/gopher does not exist
> user pcap: directory /var/arpwatch does not exist
> pwck: no changes
>
> Here is the line from shadow:
> white3:$1$lI.dioGw$Y/tabLB8qA/sjexL.0JXZ.:13010:0:1:1:14:13017:
>
> Thanks
> Jack Allen
>
> ============
> More information: If I "su - white3", then I am told the password has
> expired (aged). If I "sshd -l white3 0", then I am told the same thing. All
> my other testing has been done by "telnet 0" and entering the login name and
> the password. I have done "ps -ef | grep login" when doing the sshd and
> telnet and both are executing login. Therefore I have to assume login is
> what should be using the shadow/aging information. But I can not figure out
> why ssh works and telnet does not.
AH! The lightbulb turns on! I haven't used telnet in a long time and
wasn't aware that's what you were doing.
First, may I suggest that you disable telnetd immediately. Never use it
unless you are behind a really strong firewall and can guarantee the
security of your network. The telnet protocol is completely insecure
and sends EVERYTHING (including passwords) through in cleartext--which
is a bloody horrible idea as you can well imagine!
Now, on top of the security issues I mentioned above, all telnetd cares
about is whether login validates you or not. Since the account hasn't
been disabled, login will approve you and telnet lets you log in. Note,
however, that the warnings that login gives are (rather unceremoniously)
thrown away by telnetd.
If, however, password aging had expired the account (and therefore login
would reject you), then telnetd wouldn't let you in either. telnetd is
a "pass or fail" system, not a "pass, pass with warnings, or fail"
system.
Hope that explains it a bit, and sorry about the misunderstanding.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- grep me no patterns and I'll tell you no lines -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list