Expired system passwords are still authenticating
I've set up a Cisco router to authenticate against a freeradius server on a Linux box using the local system account. Everything looked great until I expired the password. If I log into that account on the Linux box it tells me the password has expired and I need to change it. However, if I log into the router it continues to authenticate that password just fine. What am I missing? Thanks, Mark
Hi,
I've set up a Cisco router to authenticate against a freeradius server on a Linux box using the local system account. Everything looked great until I expired the password. If I log into that account on the Linux box it tells me the password has expired and I need to change it. However, if I log into the router it continues to authenticate that password just fine. What am I missing?
A PAM module? specifically one that checks the account status..pam_pwdb perhaps? alan
Mark Tunnell <mtunnell@livebridge.com> wrote:
I've set up a Cisco router to authenticate against a freeradius server on a Linux box using the local system account. Everything looked great until I expired the password. If I log into that account on the Linux box it tells me the password has expired and I need to change it. However, if I log into the router it continues to authenticate that password just fine. What am I missing?
rlm_unix probably doesn't look at the expiry time of the password. Alan DeKok.
Are you expiring passwords are expiring accounts? This doesn't apply to you, but maybe there's an equiv in linux:
From FreeBSD pw(8)
USER LOCKING The pw utility supports a simple password locking mechanism for users; it works by prepending the string `*LOCKED*' to the beginning of the pass- word field in master.passwd to prevent successful authentication. The lock and unlock commands take a user name or uid of the account to lock or unlock, respectively. The -V, -C, and -q options as described above are accepted by these commands. --- Then just write a cron job that locks expired accounts / expired passwords. ~BAS On Thu, 17 Nov 2005, Mark Tunnell wrote:
rlm_unix probably doesn't look at the expiry time of the password.
Alan DeKok.
Is there an alternative mechanism I could employ that does?
Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Brian A. Seklecki wrote:
Are you expiring passwords are expiring accounts?
This doesn't apply to you, but maybe there's an equiv in linux:
Thanks. I was thinking along these lines myself. An expired account does deny access while an expired password does not. I may end up going this route but I was hoping there was a more elegant solution. Mark
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Brian A. Seklecki -
Mark Tunnell