Date: Fri, 17 Feb 2006 12:17:13 +0100 From: "Björn König" <bkoenig@cs.tu-berlin.de> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/93473: Let pam_unix(8) use "passwordtime" from login.conf(5) to set next password expiry date Message-ID: <20060217111713.E8FE65285D@eurystheus.local> Resent-Message-ID: <200602171120.k1HBK6hk012195@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 93473
>Category: bin
>Synopsis: Let pam_unix(8) use "passwordtime" from login.conf(5) to set next password expiry date
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Feb 17 11:20:03 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Björn König
>Release:
>Organization:
>Environment:
>Description:
login.conf(5) describes a non-implemented feature that allows you
to set a password expiry date that will be applied every time a user
of the login class changes his password. The patch below add this
functionality to pam_unix(8) and updates login.conf(5) accordingly.
In fact these lines are stolen from
src/release/picobsd/tinyware/passwd/local_passwd.c
>How-To-Repeat:
>Fix:
--- passwordtime.diff begins here ---
--- src/lib/libpam/modules/pam_unix/pam_unix.c.orig Fri Feb 17 11:28:12 2006
+++ src/lib/libpam/modules/pam_unix/pam_unix.c Fri Feb 17 11:30:27 2006
@@ -371,11 +371,21 @@
if ((old_pwd = pw_dup(pwd)) == NULL)
return (PAM_BUF_ERR);
- pwd->pw_change = 0;
lc = login_getclass(pwd->pw_class);
if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
openpam_log(PAM_LOG_ERROR,
"can't set password cipher, relying on default");
+
+ /* set password expiry date */
+ pwd->pw_change = 0;
+ if (lc != NULL) {
+ time_t period;
+ period = login_getcaptime(lc, "passwordtime", 0, 0);
+ if (period > (time_t)0) {
+ pwd->pw_change = time(NULL) + period;
+ }
+ }
+
login_close(lc);
makesalt(salt);
pwd->pw_passwd = crypt(new_pass, salt);
--- src/lib/libutil/login.conf.5.orig Sun Feb 27 23:24:24 2005
+++ src/lib/libutil/login.conf.5 Fri Feb 17 11:38:04 2006
@@ -253,6 +253,9 @@
NIS server should probably use "des".
.It "passwd_prompt string The password prompt presented by
.Xr login 1
+.It "passwordtime time Used by
+.Xr pam_unix 8
+to set next password expiry date.
.It "times.allow list List of time periods during which
logins are allowed.
.It "times.deny list List of time periods during which logins are
@@ -388,9 +391,6 @@
.Xr passwd 1
will warn the user if an all lower case password is entered.
.It "monthtime time Maximum login time per month.
-.It "passwordtime time Used by
-.Xr passwd 1
-to set next password expiry date.
.It "refreshtime time New time allowed on account refresh.
.It "refreshperiod str How often account time is refreshed.
.It "sessiontime time Maximum login time per session.
--- passwordtime.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060217111713.E8FE65285D>