Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 Feb 2006 22:37:04 +0100 (CET)
From:      Jan Srzednicki <w@wrzask.pl>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        mcl@mclhq.com
Subject:   bin/93310: pam_unix ignores 'passwordtime' from login.conf
Message-ID:  <20060213213704.E79F917037@oak.pl>
Resent-Message-ID: <200602132140.k1DLe5XE017999@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         93310
>Category:       bin
>Synopsis:       pam_unix ignores 'passwordtime' from login.conf
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 13 21:40:04 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Jan Srzednicki
>Release:        FreeBSD 6.0-STABLE i386
>Organization:
none
>Environment:
System: FreeBSD oak.pl 6.0-STABLE FreeBSD 6.0-STABLE #1: Wed Feb 1 17:46:40 CET 2006 


	
>Description:

The 'passwordtime' field in login.conf should be used by the password changing,
so that administrator can enforce password change every given fixed period of
time. However, as now passwd(1) uses pam_unix(8) to do the actual password
change, that functionality is gone, because pam_unix does not support it.

	
>How-To-Repeat:

Set the 'passwordtime' field in login.conf for a given class, rebuild
login.conf with cap_mkdb and change a user's from that class password.
Use chpass or anything to see that the 'change' field in master.passwd
is set to 0.

	
>Fix:

Here's the patch (a really trivial one) I've found on questions@ archives.
I can confirm it's working on 6.0.

--- src/lib/libpam/modules/pam_unix/pam_unix.c.orig     Mon Feb 13 22:30:28 2006
+++ src/lib/libpam/modules/pam_unix/pam_unix.c  Mon Feb 13 22:33:01 2006
@@ -371,11 +371,13 @@
                if ((old_pwd = pw_dup(pwd)) == NULL)
                        return (PAM_BUF_ERR);
 
-               pwd->pw_change = 0;
                lc = login_getclass(pwd->pw_class);
                if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
                        openpam_log(PAM_LOG_ERROR,
                            "can't set password cipher, relying on default");
+               pwd->pw_change = login_getcaptime(lc, "passwordtime", 0, 0);
+               if (pwd->pw_change)
+                       pwd->pw_change += time(NULL);
                login_close(lc);
                makesalt(salt);
                pwd->pw_passwd = crypt(new_pass, salt);


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060213213704.E79F917037>