Package: libpam-ldap
Version: 180-1.7
Severity: wishlist
Tags: patch
I use pam_ldap to authenticate systems that accept SSH passwords as
well as ones that explicitly do not allow passwords (relying on SSH
keys instead). For these latter systems, there is no way I have found
to tell pam_ldap to ignore password aging (which is required for any
system here that does allow passwords) and requiring users to change a
password that is never used is frustrating.
The patch below adds the option "account pam_ldap.so no_shadow" which
will direct pam_ldap.so to ignore any interpretation of shadow
information. It is made against the patched Debian source.
I am not a PAM internals expert but this mod does seem to do the right
thing in my tests.
Thanks,
-Brett.
--- libpam-ldap-180/pam_ldap.c 2007-07-27 17:18:24.000000000 -0400
+++ libpam-ldap-180-mod/pam_ldap.c 2007-07-27 17:07:29.000000000 -0400
@@ -3730,7 +3730,7 @@
*/
int rc;
const char *username;
- int no_warn = 0, ignore_flags = 0;
+ int no_warn = 0, ignore_flags = 0, no_shadow = 0;
int i, success = PAM_SUCCESS;
struct pam_conv *appconv;
pam_ldap_session_t *session = NULL;
@@ -3750,6 +3750,8 @@
configFile = argv[i] + 7;
else if (!strcmp (argv[i], "no_warn"))
no_warn = 1;
+ else if (!strcmp (argv[i], "no_shadow"))
+ no_shadow = 1;
else if (!strcmp (argv[i], "ignore_unknown_user"))
ignore_flags |= IGNORE_UNKNOWN_USER;
else if (!strcmp (argv[i], "ignore_authinfo_unavail"))
@@ -3806,7 +3808,7 @@
/* Check shadow expire conditions */
/* Do we have an absolute expiry date? */
- if (session->info->shadow.expire > 0)
+ if (!no_shadow && session->info->shadow.expire > 0)
{
if (currentday >= session->info->shadow.expire)
{
@@ -3814,7 +3816,7 @@
}
}
- if (session->info->shadow.lstchg == 0)
+ if (!no_shadow && session->info->shadow.lstchg == 0)
{
/*
* Adhere to convention of a shadow last change
@@ -3829,7 +3831,8 @@
* Also check if user hasn't changed password for the inactive
* amount of time. This also counts as an expired account.
*/
- if ((session->info->shadow.lstchg > 0) &&
+ if ((!no_shadow) &&
+ (session->info->shadow.lstchg > 0) &&
(session->info->shadow.max > 0) && (session->info->shadow.inact > 0))
{
if (currentday >= (session->info->shadow.lstchg +
@@ -3841,7 +3844,8 @@
}
/* Our shadow information should be populated, so do some calculations */
- if ((session->info->shadow.lstchg > 0) && (session->info->shadow.max > 0))
+ if ((!no_shadow) &&
+ (session->info->shadow.lstchg > 0) && (session->info->shadow.max > 0))
{
if (currentday >= (session->info->shadow.lstchg +
session->info->shadow.max))
@@ -3896,7 +3900,7 @@
/*
* If the password's expired, no sense warning
*/
- if (session->info->policy_error != POLICY_ERROR_PASSWORD_EXPIRED)
+ if (!no_shadow && session->info->policy_error !=
POLICY_ERROR_PASSWORD_EXPIRED)
{
if (session->info->shadow.warn > 0) /* shadowAccount */
{
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages libpam-ldap depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libldap2 2.1.30-13.3 OpenLDAP libraries
ii libpam0g 0.79-4 Pluggable Authentication Modules l
libpam-ldap recommends no packages.
-- debconf information excluded
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
