Hi,
On Tue, Jan 26, Tomas Mraz wrote:
Hello,
OpenSSH sshd calls (correctly) pam_acct_mgmt even for authentication
methods that do not involve user passwords. The attached patch allows
pam_unix to optionally ignore the password expiration. What do you
think about it? Would it be OK to commit if I provide also
documentation of the no_pass_expiry option?
I have no problem with the patch, but I think if the password
expiration should be ignored, they should not set it, openssh
should not call it or the admin should not configure it ...
Thorsten
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
diff --git a/modules/pam_unix/pam_unix_acct.c
b/modules/pam_unix/pam_unix_acct.c
index 2799845..d9cf811 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -235,6 +235,11 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char
**argv)
} else
retval = check_shadow_expiry(pamh, spent, &daysleft);
+ if (on(UNIX_NO_PASS_EXPIRY, ctrl) &&
+ (retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED)) {
+ retval = PAM_SUCCESS;
+ }
+
switch (retval) {
case PAM_ACCT_EXPIRED:
pam_syslog(pamh, LOG_NOTICE,
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 3729ce0..b9b1b1f 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -98,9 +98,10 @@ typedef struct {
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
#define UNIX_QUIET 28 /* Don't print informational messages */
-#define UNIX_DES 29 /* DES, default */
+#define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration */
+#define UNIX_DES 30 /* DES, default */
/* -------------- */
-#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
#define
UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
@@ -138,6 +139,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000,
1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000,
0},
+/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000,
0},
/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0,
1},
};
_______________________________________________
Pam-developers mailing list
pam-developers(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/pam-developers@lists.fedorahos...
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)