From winfried@oak.pl  Mon Feb 13 21:37:10 2006
Return-Path: <winfried@oak.pl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EE45316A420
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 13 Feb 2006 21:37:10 +0000 (GMT)
	(envelope-from winfried@oak.pl)
Received: from oak.pl (mx.oak.pl [217.96.108.251])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5693443D70
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 13 Feb 2006 21:37:07 +0000 (GMT)
	(envelope-from winfried@oak.pl)
Received: by oak.pl (Postfix, from userid 1002)
	id E79F917037; Mon, 13 Feb 2006 22:37:04 +0100 (CET)
Message-Id: <20060213213704.E79F917037@oak.pl>
Date: Mon, 13 Feb 2006 22:37:04 +0100 (CET)
From: Jan Srzednicki <w@wrzask.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc: mcl@mclhq.com
Subject: pam_unix ignores 'passwordtime' from login.conf
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         93310
>Category:       bin
>Synopsis:       [libpam] [patch] pam_unix ignores 'passwordtime' from login.conf
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 13 21:40:04 GMT 2006
>Closed-Date:    Fri Apr 27 21:41:05 UTC 2012
>Last-Modified:  Fri Apr 27 21:50:11 UTC 2012
>Originator:     Jan Srzednicki
>Release:        FreeBSD 6.0-STABLE i386
>Organization:
none
>Environment:
System: FreeBSD oak.pl 6.0-STABLE FreeBSD 6.0-STABLE #1: Wed Feb 1 17:46:40 CET 2006 


	
>Description:

The 'passwordtime' field in login.conf should be used by the password changing,
so that administrator can enforce password change every given fixed period of
time. However, as now passwd(1) uses pam_unix(8) to do the actual password
change, that functionality is gone, because pam_unix does not support it.

	
>How-To-Repeat:

Set the 'passwordtime' field in login.conf for a given class, rebuild
login.conf with cap_mkdb and change a user's from that class password.
Use chpass or anything to see that the 'change' field in master.passwd
is set to 0.

	
>Fix:

Here's the patch (a really trivial one) I've found on questions@ archives.
I can confirm it's working on 6.0.

--- src/lib/libpam/modules/pam_unix/pam_unix.c.orig     Mon Feb 13 22:30:28 2006
+++ src/lib/libpam/modules/pam_unix/pam_unix.c  Mon Feb 13 22:33:01 2006
@@ -371,11 +371,13 @@
                if ((old_pwd = pw_dup(pwd)) == NULL)
                        return (PAM_BUF_ERR);
 
-               pwd->pw_change = 0;
                lc = login_getclass(pwd->pw_class);
                if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
                        openpam_log(PAM_LOG_ERROR,
                            "can't set password cipher, relying on default");
+               pwd->pw_change = login_getcaptime(lc, "passwordtime", 0, 0);
+               if (pwd->pw_change)
+                       pwd->pw_change += time(NULL);
                login_close(lc);
                makesalt(salt);
                pwd->pw_passwd = crypt(new_pass, salt);


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Wed Feb 15 09:20:48 UTC 2006 
Responsible-Changed-Why:  
To maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93310 

From: =?iso-8859-1?Q?S=F8ren_Schr=F8der?= <sch@telenor.dk>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>, "w@wrzask.pl"
	<w@wrzask.pl>
Cc:  
Subject: Re: bin/93310: [libpam] [patch] pam_unix ignores
 &#39;passwordtime&#39; from login.conf
Date: Fri, 27 Apr 2012 11:57:28 +0000

 --_000_4418813ED7249F45A25756B10CE60C7C1E8DAB62IFABEXCMBX01int_
 Content-Type: text/plain; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 Hi.
 
 I'm sorry to disturb, but it seems this old bug still around, despite a pat=
 ch is available.
 
 I have just tried to get "password expiration" to work on a freebsd 8.2-REL=
 EASE-p6 (amd64 and i386)
 
 In default section in login.conf:
 
 
         :warnpassword=3D5d:\
         :passwordtime=3D30d:\
 
 And rebuild:
 
 cap_mkdb /etc/login.conf
 
 now for the test:
 
 # pw user mod sch2 -p 1-may-2012
 # grep sch2 /etc/master.passwd
 sch2:$1$E7y5QURj$.7fgXafecd4v87cd40Vqe1:1002:1002::1335823200:0:sch2:/home/=
 sch2:/usr/local/bin/bash
 
 password changed
 
 # grep sch2 /etc/master.passwd
 sch2:$1$C8aW7PF1$sinM3yf65DExGmkUWcyLg0:1002:1002::0:0:sch2:/home/sch2:/usr=
 /local/bin/bash
 
 field 6 was ctime for 2012-05-01 00:00:00 but after passwd, it is reset to =
 zero, instead of "now+90d"
 
 I think its time to fix this one
 
 
 --
 S=F8ren Schr=F8der, Senior Architect, OSS, Core Engineering, Telenor.
 mailto:sch@telenor.dk | mobile:+4560503045
 
 --_000_4418813ED7249F45A25756B10CE60C7C1E8DAB62IFABEXCMBX01int_
 Content-Type: text/html; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 
 <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
 osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
 xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
 //www.w3.org/TR/REC-html40">
 <head>
 <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
 1">
 <meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
 <style><!--
 /* Font Definitions */
 @font-face
 	{font-family:Calibri;
 	panose-1:2 15 5 2 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
 	{margin:0cm;
 	margin-bottom:.0001pt;
 	font-size:11.0pt;
 	font-family:"Calibri","sans-serif";
 	mso-fareast-language:EN-US;}
 a:link, span.MsoHyperlink
 	{mso-style-priority:99;
 	color:blue;
 	text-decoration:underline;}
 a:visited, span.MsoHyperlinkFollowed
 	{mso-style-priority:99;
 	color:purple;
 	text-decoration:underline;}
 span.EmailStyle17
 	{mso-style-type:personal-compose;
 	font-family:"Courier New";
 	color:windowtext;
 	font-weight:normal;
 	font-style:normal;
 	text-decoration:none none;}
 .MsoChpDefault
 	{mso-style-type:export-only;
 	font-family:"Calibri","sans-serif";
 	mso-fareast-language:EN-US;}
 @page WordSection1
 	{size:612.0pt 792.0pt;
 	margin:3.0cm 2.0cm 3.0cm 2.0cm;}
 div.WordSection1
 	{page:WordSection1;}
 --></style><!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
 </xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
 <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
 </head>
 <body lang=3D"DA" link=3D"blue" vlink=3D"purple">
 <div class=3D"WordSection1">
 <p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Cou=
 rier New&quot;">Hi.<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Cou=
 rier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">I&#8217;m sorry to disturb, but it seems thi=
 s old bug still around, despite a patch is available.<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">I have just tried to get &#8220;password exp=
 iration&#8221; to work on a freebsd 8.2-RELEASE-p6 (amd64 and i386)<o:p></o=
 :p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">In default section in login.conf:<o:p></o:p>=
 </span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :=
 warnpassword=3D5d:\<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :=
 passwordtime=3D30d:\<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">And rebuild:<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">cap_mkdb /etc/login.conf<o:p></o:p></span></=
 p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">now for the test:<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"># pw user mod sch2 -p 1-may-2012<o:p></o:p><=
 /span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"># grep sch2 /etc/master.passwd<o:p></o:p></s=
 pan></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">sch2:$1$E7y5QURj$.7fgXafecd4v87cd40Vqe1:1002=
 :1002::<span style=3D"background:yellow;mso-highlight:yellow">1335823200</s=
 pan>:0:sch2:/home/sch2:/usr/local/bin/bash<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">password changed<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"># grep sch2 /etc/master.passwd<o:p></o:p></s=
 pan></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">sch2:$1$C8aW7PF1$sinM3yf65DExGmkUWcyLg0:1002=
 :1002::<span style=3D"background:yellow;mso-highlight:yellow">0</span>:0:sc=
 h2:/home/sch2:/usr/local/bin/bash<o:p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">field 6 was ctime for 2012-05-01 00:00:00 bu=
 t after passwd, it is reset to zero, instead of &#8220;now&#43;90d&#8221;<o=
 :p></o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;">I think its time to fix this one<o:p></o:p><=
 /span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:9.0pt;font-f=
 amily:&quot;Courier New&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class=3D"MsoNormal"><span lang=3D"EN-GB" style=3D"font-size:10.0pt;font-=
 family:&quot;Courier New&quot;;mso-fareast-language:DA">--
 </span><span lang=3D"EN-GB" style=3D"font-size:12.0pt;font-family:&quot;Tim=
 es New Roman&quot;,&quot;serif&quot;;mso-fareast-language:DA"><br>
 </span><span lang=3D"EN-GB" style=3D"font-size:10.0pt;font-family:&quot;Cou=
 rier New&quot;;mso-fareast-language:DA">S=F8ren Schr=F8der, Senior Architec=
 t, OSS, Core Engineering, Telenor.</span><span lang=3D"EN-GB" style=3D"font=
 -size:12.0pt;font-family:&quot;Times New Roman&quot;,&quot;serif&quot;;mso-=
 fareast-language:DA">
 <br>
 </span><span lang=3D"EN-GB" style=3D"font-size:10.0pt;font-family:&quot;Cou=
 rier New&quot;;mso-fareast-language:DA">mailto:<u><span style=3D"color:purp=
 le">sch@telenor.dk</span></u> | mobile:<span style=3D"color:purple">&#43;45=
 60503045</span></span><span lang=3D"EN-GB" style=3D"font-size:12.0pt;font-f=
 amily:&quot;Times New Roman&quot;,&quot;serif&quot;;mso-fareast-language:DA=
 ">
 </span><span lang=3D"EN-GB"><o:p></o:p></span></p>
 </div>
 </body>
 </html>
 
 --_000_4418813ED7249F45A25756B10CE60C7C1E8DAB62IFABEXCMBX01int_--
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Fri Apr 27 21:41:03 UTC 2012 
State-Changed-Why:  
fixed and mfced 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93310 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/93310: commit references a PR
Date: Fri, 27 Apr 2012 21:41:00 +0000 (UTC)

 Author: des
 Date: Fri Apr 27 21:40:51 2012
 New Revision: 234741
 URL: http://svn.freebsd.org/changeset/base/234741
 
 Log:
   MFH r203377, r215680, r227044, r227105: mainly, respect passwordtime.
   
   PR:		93310, 93473
 
 Modified:
   stable/8/lib/libpam/modules/pam_unix/pam_unix.8
   stable/8/lib/libpam/modules/pam_unix/pam_unix.c
 
 Modified: stable/8/lib/libpam/modules/pam_unix/pam_unix.8
 ==============================================================================
 --- stable/8/lib/libpam/modules/pam_unix/pam_unix.8	Fri Apr 27 20:23:24 2012	(r234740)
 +++ stable/8/lib/libpam/modules/pam_unix/pam_unix.8	Fri Apr 27 21:40:51 2012	(r234741)
 @@ -188,3 +188,9 @@ password database.
  .Xr pam 8 ,
  .Xr pw 8 ,
  .Xr yp 8
 +.Sh BUGS
 +The
 +.Nm
 +module ignores the
 +.Dv PAM_CHANGE_EXPIRED_AUTHTOK
 +flag.
 
 Modified: stable/8/lib/libpam/modules/pam_unix/pam_unix.c
 ==============================================================================
 --- stable/8/lib/libpam/modules/pam_unix/pam_unix.c	Fri Apr 27 20:23:24 2012	(r234740)
 +++ stable/8/lib/libpam/modules/pam_unix/pam_unix.c	Fri Apr 27 21:40:51 2012	(r234741)
 @@ -50,6 +50,7 @@ __FBSDID("$FreeBSD$");
  #include <string.h>
  #include <stdio.h>
  #include <syslog.h>
 +#include <time.h>
  #include <unistd.h>
  
  #include <libutil.h>
 @@ -80,8 +81,6 @@ static char password_hash[] =		PASSWORD_
  #define PAM_OPT_LOCAL_PASS	"local_pass"
  #define PAM_OPT_NIS_PASS	"nis_pass"
  
 -char *tempname = NULL;
 -
  /*
   * authentication management
   */
 @@ -271,10 +270,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
  	const void *yp_domain, *yp_server;
  #endif
  	char salt[SALTSIZE + 1];
 -	login_cap_t * lc;
 +	login_cap_t *lc;
  	struct passwd *pwd, *old_pwd;
  	const char *user, *old_pass, *new_pass;
  	char *encrypted;
 +	time_t passwordtime;
  	int pfd, tfd, retval;
  
  	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
 @@ -377,11 +377,17 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
  		if ((old_pwd = pw_dup(pwd)) == NULL)
  			return (PAM_BUF_ERR);
  
 -		pwd->pw_change = 0;
  		lc = login_getclass(pwd->pw_class);
  		if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
  			openpam_log(PAM_LOG_ERROR,
  			    "can't set password cipher, relying on default");
 +		
 +		/* set password expiry date */
 +		pwd->pw_change = 0;
 +		passwordtime = login_getcaptime(lc, "passwordtime", 0, 0);
 +		if (passwordtime > 0)
 +			pwd->pw_change = time(NULL) + passwordtime;
 +		
  		login_close(lc);
  		makesalt(salt);
  		pwd->pw_passwd = crypt(new_pass, salt);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
