Subject: Re: Password Expiration Change
To: Greg A. Woods <woods@kuma.web.net>
From: Simon J. Gerraty <sjg@zen.void.oz.au>
List: current-users
Date: 04/02/1995 13:00:41
> I've been thinking of adding full SVID compatible password expiration to
> NetBSD, though not necessarily SVID compliant (just tools to convert
> SysV passwd/shadow file format entries, etc.).  This might make NetBSD a
> teeny bit more attractive for current SysV users....
> 
> Is anyone else interested in this?

Yes and no.  

Having worked places where passwords were expired with ridiculous
frequencey I'm not totally in favour of password ageing as it is
often implemented or rather used.

One site expired passwords monthly, and then didn't let you change
your password for a week!  So there you are in a _hurry_ to catch some
program gone wild, forced to pick a new password (so you give it
something flipant as you're already in a bad mood), then you can't
go back and fix it.  Is this more secure?

I do like though to be able to add users with a password that expires
the first time they log in though.  (In Sysv I think it is just a ","
at the end of the encrypted password).  I used to find that many users
_never_ changed their password from the default one allocated to them.
My super-dooper add_user script used to take care of that - if
password ageing was supported.

So yes used properly SysV style password aging is ok. However I
believe the best method is to simply put a time stamp in each password
record indicating when the password was changed.  You could then do a
monthly cron job to mail all users who's passwords are n days old and
ask them to change their password asap.  Any accounts with passwords
n+grace days old are simply locked.

A look at the man pages suggests NetBSD already has a change and
expire field in passwd though the usage is not quite as described
above. 

A quick look at login suggests that just about everything needed is
there except a magic value to indicate you must change your password
on first login. On seeing change == IMEDIATE_CHANGE, login could
invoke passwd(1) and if it exits happily, proceed with login.

I noticed too that su(1) does not support change or expire.  The
change warning at least should be there as many folk don't allow root
logins so no ageing would be enforced.

And only root should be able to su to an expired account.

--sjg