I did a search in the egroups pam-list archives for password expiration. It appears that it is possible to force users to change their passwords when they expire, but it didn't say two things: 1) What lines to add/modify in what pam files to force to change their passwords 2) What lines to modify in what files to set the duration a password can be used before it expires. I am having problems with pam_tally not working for ssh,ftp, telnet. I am using pam-0.72 on RedHat 6.2, telnet-server-0.16-6.rpm, openssh-server-2.1.1p2, and proftpd-1.2.0. I know openssh and proftpd are compiled with pam support, the redhat telnet server I don't know, although it claims to run /bin/login by default. The only thing it appears to work with is login, although I modified the sshd and ftp file the same as login below: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_tally.so auth required /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_tally.so deny=5 reset account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so So if telnetd runs /bin/login, how come if I run /bin/login as a user the tally function works, but if I login via telnet it doesn't ? Also, is there some kind of sshd bug I don't know about, and what about ftp ? What should the permissions be on /var/log/faillog and what user:group should own it ? Thanks, ---------------- Running on Linux 2.4 Michael A. Dietz mad099@dietznet.net
