Date: Mon, 13 Feb 2006 22:37:04 +0100 (CET) From: Jan Srzednicki <w@wrzask.pl> To: FreeBSD-gnats-submit@FreeBSD.org Cc: mcl@mclhq.com Subject: bin/93310: pam_unix ignores 'passwordtime' from login.conf Message-ID: <20060213213704.E79F917037@oak.pl> Resent-Message-ID: <200602132140.k1DLe5XE017999@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 93310 >Category: bin >Synopsis: pam_unix ignores 'passwordtime' from login.conf >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 13 21:40:04 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Jan Srzednicki >Release: FreeBSD 6.0-STABLE i386 >Organization: none >Environment: System: FreeBSD oak.pl 6.0-STABLE FreeBSD 6.0-STABLE #1: Wed Feb 1 17:46:40 CET 2006 >Description: The 'passwordtime' field in login.conf should be used by the password changing, so that administrator can enforce password change every given fixed period of time. However, as now passwd(1) uses pam_unix(8) to do the actual password change, that functionality is gone, because pam_unix does not support it. >How-To-Repeat: Set the 'passwordtime' field in login.conf for a given class, rebuild login.conf with cap_mkdb and change a user's from that class password. Use chpass or anything to see that the 'change' field in master.passwd is set to 0. >Fix: Here's the patch (a really trivial one) I've found on questions@ archives. I can confirm it's working on 6.0. --- src/lib/libpam/modules/pam_unix/pam_unix.c.orig Mon Feb 13 22:30:28 2006 +++ src/lib/libpam/modules/pam_unix/pam_unix.c Mon Feb 13 22:33:01 2006 @@ -371,11 +371,13 @@ if ((old_pwd = pw_dup(pwd)) == NULL) return (PAM_BUF_ERR); - pwd->pw_change = 0; lc = login_getclass(pwd->pw_class); if (login_setcryptfmt(lc, password_hash, NULL) == NULL) openpam_log(PAM_LOG_ERROR, "can't set password cipher, relying on default"); + pwd->pw_change = login_getcaptime(lc, "passwordtime", 0, 0); + if (pwd->pw_change) + pwd->pw_change += time(NULL); login_close(lc); makesalt(salt); pwd->pw_passwd = crypt(new_pass, salt); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060213213704.E79F917037>