tags 78961 confirmed thanks On Thu, Dec 07, 2000 at 01:19:02AM +0100, Tomas Ogren wrote: > If the user has the expiry field[0] set to 0 in /etc/shadow, the passwd > command treats it as an expired account[1] whereas chage[2] displays > that it will never expire. Removing the 0 to make the field empty makes > passwd[3] and chage[2] accept it. I can ssh in with openssh.
I will try to provide a detailed analysis. The fix is really close, you didn't waited 4 years for nothing;) The code of su or passwd (and probably many other shadow command, this should be checked) uses PAM. su uses pam_acct_mgmt passwd uses pam_chauthtok In chage, the expiration verification is performed internally by shadow. su consider the password will never expire, as chage. passwd consider it has expired. A better analysis may be required for the other shadow commands and for the shadow code enclosed in "#ifndef USE_PAM" (which is not compiled for the Debian packages). > This did not happen in Debian 2.1. In Red Hat 7.0 you can neither su to > the account (from non-root), run passwd nor login with openssh. > > The question is.. what's right? is 0 disabled or enabled? Just lack of > good spec? That is the question, and the reason why I'm CCing the Debian PAM maintainer. Maybe Tomasz, you can also help on this issue. Is there a specification on the expiry field? IMHO PAM is standardized by the Open Group, but to what extend? Is this point specified? I had a look at PAM's source. In the pam_unix module: * pam_sm_acct_mgmt considers a sp_expire of 0 equivalent to -1 (i.e. no expiry specified in the shadow file, for a password which never expire) * pam_sm_chauthtok may[0] consider a null sp_expire field equivalent to an expiration date equal to Jan 01, 1970. The pam_pwdb module also consider 0 equivalent to -1 in _shadow_acct_mgmt_exp. Currently, the best solution I can see is to document the fact that an expiry field of 0 means the password never expire (not a lot of users will want to set an expiry date of Jan 1, 1970), and to fix PAM and shadow's sources accordingly. [0] I've just read the source, I still need to test if passwd and su will behave the same way if pam_sm_chauthtok is modified. I will report here or/and in a PAM bug. Thanks in advance, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
