bin/93310: pam_unix ignores 'passwordtime' from login.conf
Jan Srzednicki
w at wrzask.pl
Mon Feb 13 13:40:06 PST 2006
>Number: 93310
>Category: bin
>Synopsis: pam_unix ignores 'passwordtime' from login.conf
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Feb 13 21:40:04 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Jan Srzednicki
>Release: FreeBSD 6.0-STABLE i386
>Organization:
none
>Environment:
System: FreeBSD oak.pl 6.0-STABLE FreeBSD 6.0-STABLE #1: Wed Feb 1 17:46:40 CET 2006
>Description:
The 'passwordtime' field in login.conf should be used by the password changing,
so that administrator can enforce password change every given fixed period of
time. However, as now passwd(1) uses pam_unix(8) to do the actual password
change, that functionality is gone, because pam_unix does not support it.
>How-To-Repeat:
Set the 'passwordtime' field in login.conf for a given class, rebuild
login.conf with cap_mkdb and change a user's from that class password.
Use chpass or anything to see that the 'change' field in master.passwd
is set to 0.
>Fix:
Here's the patch (a really trivial one) I've found on questions@ archives.
I can confirm it's working on 6.0.
--- src/lib/libpam/modules/pam_unix/pam_unix.c.orig Mon Feb 13 22:30:28 2006
+++ src/lib/libpam/modules/pam_unix/pam_unix.c Mon Feb 13 22:33:01 2006
@@ -371,11 +371,13 @@
if ((old_pwd = pw_dup(pwd)) == NULL)
return (PAM_BUF_ERR);
- pwd->pw_change = 0;
lc = login_getclass(pwd->pw_class);
if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
openpam_log(PAM_LOG_ERROR,
"can't set password cipher, relying on default");
+ pwd->pw_change = login_getcaptime(lc, "passwordtime", 0, 0);
+ if (pwd->pw_change)
+ pwd->pw_change += time(NULL);
login_close(lc);
makesalt(salt);
pwd->pw_passwd = crypt(new_pass, salt);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list