Hi, On Mon, Mar 28, 2005 at 10:39:59PM +0300, Alexander Gattin wrote: > IMHO, the right way is to treat the semanthics of > shadow's 8th field literally. I.e. value of 0 should > mean that account expires Jan 1, 1970. Period. > > Everything else should be fixed accordingly. Debian > 2.1 and RH7.0 did the things right in this aspect.
Thanks for your answer Alexander, I now concur in your opinion. Since the last mail, I had a closer look at PAM. Debian's PAM treat 0 and "no value" (-1) the same way since #45446. The fix (007_modules_pam_unix) was another try at fixing this PAM / chage difference. I had a look at other PAM sources (upstream on kernel.org, RedHat Fedora core 3 and development). They do not have such a patch. So I now think the best way is to fix chage so that it does not display Account Expires: Never but Account Expires: Jan 01, 1970 (Other changes not related to this field will be needed, e.g. lastday == 0 means that the password must be changed on next login). This is I think the only change for the shadow package (this is IMO coherent with the chage and shadow.5 pages). Regarding PAM, I think a big part of 007_modules_pam_unix should be dropped. This concerns the handling of the sp_expire, sp_max sp_inact and sp_warn fields when they are null. > Tomasz could consult us about Solaris behavior > with regard to these matters. ;) That would be interesting. I would also like to have Sam Hartman (Debian PAM maintainer) opinion. (I will anyway submit a bug to pam because of the pam_sm_acct_mgmt / pam_sm_chauthtok difference) Kind Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
