My security woes continue... Actually most thigns are working excellently
and somebody even suggested a way to create accounts with expired passwords
yet not have to impose restrictive password lifetimes.
BUT Because of the way our account creation system works, I want to turn
off password policy checking for the first password chnage. This should be
easy... Our createaccount program writes the pr_passwd entry with
u_restrict turned off, runs passwd and then turns u_restrict on again (or
removes the entry, thus giving the default). For some reason, this does not
work. passwd is still complaining about illegal passwords.
/etc/auth/system/default looks like this:
default:\
:d_name=default:\
:d_secclass=c2:\
:d_boot_authenticate_at_:\
:d_pw_expire_warning#3456000:\
:d_pw_site_callout=/tcb/bin/pwpolicy:\
:u_pwd=*:\
:u_cmdpriv=boot,ping,printerstat,tape:\
:u_syspriv=execsuid,chmodsugid:\
:u_basepriv=execsuid,chmodsugid:\
:u_minchg#0:u_minlen#6:u_maxlen#20:u_exp#315360000:\
:u_life#0:u_pickpw:u_restrict:u_policy:\
:u_pwdepth#0:u_nullpw_at_:u_genchars_at_:u_genletters_at_:\
:u_maxtries#5:u_lock_at_:\
:t_logdelay#2:t_maxtries#10:t_unlock#0:t_lock_at_:\
:t_login_timeout#60:\
:chkent:
And /tcb/files/auth/f/frob looks like this:
frob:u_name=frob:u_id#3041:u_oldcrypt#0:\
:u_pwd=Nologin:\
:u_exp#60480000:u_unsucchg#823242723:u_restrict_at_:\
:chkent:
According to people who I have asked, the manual pages, and good old
common sense, this should allow me to enter _any_ password for this
user until the u_restrict_at_ is removed. Nope. It still restricts
passwords.
Ideas?
--
[=======================================================================]
[ Kevin Lentin |finger kevinl_at_fangorn.cs.monash.edu.au| ]
[ K.Lentin_at_cs.monash.edu.au |for PGP public key block. Fingerprint | ]
[ Macintrash: 'Just say NO!' |6024308DE1F84314 811B511DBA6FD596 | ]
[=======================================================================]
Received on Tue Feb 06 1996 - 02:09:27 NZDT