From bkoenig@cs.tu-berlin.de  Fri Feb 17 11:19:03 2006
Return-Path: <bkoenig@cs.tu-berlin.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 680BB16A422
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 17 Feb 2006 11:19:03 +0000 (GMT)
	(envelope-from bkoenig@cs.tu-berlin.de)
Received: from efacilitas.de (smtp.efacilitas.de [85.10.196.108])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5E4BA43D6D
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 17 Feb 2006 11:18:57 +0000 (GMT)
	(envelope-from bkoenig@cs.tu-berlin.de)
Received: from eurystheus.local (port-212-202-169-72.dynamic.qsc.de [212.202.169.72])
	by efacilitas.de (Postfix) with ESMTP id D14154CBD5
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 17 Feb 2006 12:28:28 +0100 (CET)
Received: from hoppel.local (eurystheus.local [192.168.1.67])
	by eurystheus.local (Postfix) with SMTP id E8FE65285D
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 17 Feb 2006 12:17:13 +0100 (CET)
Received: by hoppel.local (sSMTP sendmail emulation); Fri, 17 Feb 2006 12:17:13 +0100
Message-Id: <20060217111713.E8FE65285D@eurystheus.local>
Date: Fri, 17 Feb 2006 12:17:13 +0100
From: "Bjrn Knig" <bkoenig@cs.tu-berlin.de>
Reply-To: Bjrn Knig <bkoenig@cs.tu-berlin.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Let pam_unix(8) use "passwordtime" from login.conf(5) to set next password expiry date
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         93473
>Category:       bin
>Synopsis:       [patch] Let pam_unix(8) use "passwordtime" from login.conf(5) to set next password expiry date
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 17 11:20:03 GMT 2006
>Closed-Date:    Fri Apr 27 21:41:13 UTC 2012
>Last-Modified:  Fri Apr 27 21:50:13 UTC 2012
>Originator:     Bjrn Knig
>Release:        
>Organization:
>Environment:

	
>Description:
	login.conf(5) describes a non-implemented feature that allows you
	to set a password expiry date that will be applied every time a user
	of the login class changes his password. The patch below add this
	functionality to pam_unix(8) and updates login.conf(5) accordingly.

	In fact these lines are stolen from
	src/release/picobsd/tinyware/passwd/local_passwd.c 

>How-To-Repeat:
>Fix:

	

--- passwordtime.diff begins here ---
--- src/lib/libpam/modules/pam_unix/pam_unix.c.orig	Fri Feb 17 11:28:12 2006
+++ src/lib/libpam/modules/pam_unix/pam_unix.c	Fri Feb 17 11:30:27 2006
@@ -371,11 +371,21 @@
 		if ((old_pwd = pw_dup(pwd)) == NULL)
 			return (PAM_BUF_ERR);
 
-		pwd->pw_change = 0;
 		lc = login_getclass(pwd->pw_class);
 		if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
 			openpam_log(PAM_LOG_ERROR,
 			    "can't set password cipher, relying on default");
+		
+		/* set password expiry date */
+		pwd->pw_change = 0;
+		if (lc != NULL) {
+			time_t period;
+			period = login_getcaptime(lc, "passwordtime", 0, 0);
+			if (period > (time_t)0) {
+				pwd->pw_change = time(NULL) + period;
+			}
+		}
+		
 		login_close(lc);
 		makesalt(salt);
 		pwd->pw_passwd = crypt(new_pass, salt);
--- src/lib/libutil/login.conf.5.orig	Sun Feb 27 23:24:24 2005
+++ src/lib/libutil/login.conf.5	Fri Feb 17 11:38:04 2006
@@ -253,6 +253,9 @@
 NIS server should probably use "des".
 .It "passwd_prompt	string		The password prompt presented by
 .Xr login 1
+.It "passwordtime	time		Used by
+.Xr pam_unix 8
+to set next password expiry date.
 .It "times.allow 	list		List of time periods during which
 logins are allowed.
 .It "times.deny	list		List of time periods during which logins are
@@ -388,9 +391,6 @@
 .Xr passwd 1
 will warn the user if an all lower case password is entered.
 .It "monthtime 	time		Maximum login time per month.
-.It "passwordtime	time		Used by
-.Xr passwd 1
-to set next password expiry date.
 .It "refreshtime 	time		New time allowed on account refresh.
 .It "refreshperiod	str		How often account time is refreshed.
 .It "sessiontime 	time		Maximum login time per session.
--- passwordtime.diff ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Mon Feb 20 12:18:45 UTC 2006 
Responsible-Changed-Why:  
Assign to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93473 

From: Stefan Lambrev <stefan.lambrev@moneybookers.com>
To: bug-followup@freebsd.org
Cc: des@freebsd.org
Subject: Re: bin/93473: [patch] Let pam_unix( use "passwordtime" from login.conf(5) to set next password expiry date
Date: Mon, 1 Feb 2010 18:14:09 +0200

 Hi,
 
 We are using this patch on few recent 7-stable (FreeBSD 7.2-STABLE) and =
 it works like a charm.
 Can you commit this please?
 
 --
 Best Wishes,
 Stefan Lambrev
 ICQ# 24134177
 
 
 
 
 
State-Changed-From-To: open->patched 
State-Changed-By: des 
State-Changed-When: Tue Feb 2 13:49:04 UTC 2010 
State-Changed-Why:  
Similar patch committed, awaiting MFC 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93473 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/93473: commit references a PR
Date: Tue,  2 Feb 2010 13:48:13 +0000 (UTC)

 Author: des
 Date: Tue Feb  2 13:47:18 2010
 New Revision: 203377
 URL: http://svn.freebsd.org/changeset/base/203377
 
 Log:
   Respect passwordtime from login.conf if set.
   
   PR:		bin/93473
   Submitted by:	Björn König <bkoenig@cs.tu-berlin.de>
   MFC after:	1 week
 
 Modified:
   head/lib/libpam/modules/pam_unix/pam_unix.c
 
 Modified: head/lib/libpam/modules/pam_unix/pam_unix.c
 ==============================================================================
 --- head/lib/libpam/modules/pam_unix/pam_unix.c	Tue Feb  2 11:09:28 2010	(r203376)
 +++ head/lib/libpam/modules/pam_unix/pam_unix.c	Tue Feb  2 13:47:18 2010	(r203377)
 @@ -271,10 +271,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
  	const void *yp_domain, *yp_server;
  #endif
  	char salt[SALTSIZE + 1];
 -	login_cap_t * lc;
 +	login_cap_t *lc;
  	struct passwd *pwd, *old_pwd;
  	const char *user, *old_pass, *new_pass;
  	char *encrypted;
 +	time_t passwordtime;
  	int pfd, tfd, retval;
  
  	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
 @@ -377,11 +378,17 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
  		if ((old_pwd = pw_dup(pwd)) == NULL)
  			return (PAM_BUF_ERR);
  
 -		pwd->pw_change = 0;
  		lc = login_getclass(pwd->pw_class);
  		if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
  			openpam_log(PAM_LOG_ERROR,
  			    "can't set password cipher, relying on default");
 +		
 +		/* set password expiry date */
 +		pwd->pw_change = 0;
 +		passwordtime = login_getcaptime(lc, "passwordtime", 0, 0);
 +		if (passwordtime > 0)
 +			pwd->pw_change = time(NULL) + passwordtime;
 +		
  		login_close(lc);
  		makesalt(salt);
  		pwd->pw_passwd = crypt(new_pass, salt);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Lance Leger <laleger@gmail.com>
To: bug-followup@FreeBSD.org, bkoenig@cs.tu-berlin.de
Cc:  
Subject: Re: bin/93473: [patch] Let pam_unix(8) use &quot;passwordtime&quot;
 from login.conf(5) to set next password expiry date
Date: Tue, 21 Feb 2012 13:31:54 +0100

 I see that this change has still not been committed. May I suggest
 that the change committed also incorporate the capability to
 specify/enforce a minimum password age (required by some government
 policies and most other operating systems have this capability
 already). I have included source below which addresses both the
 requirements for a max and min password age.
 
 [root@dev /usr/src/lib/libpam/modules/pam_unix]# diff pam_unix.c.orig pam_unix.c
 380d379
 <               pwd->pw_change = 0;
 381a381,398
 >
 >               time_t pwtime, pwtimemin, pwchangenew;
 >               pwtime = login_getcaptime(lc, "passwordtime", 0, 0);
 >               pwtimemin = login_getcaptime(lc, "passwordtimemin", 0, 0);
 >
 >               if (pwtime > (time_t)0) {
 >                       pwchangenew = time(NULL) + pwtime;
 >                       if (pwtimemin > (time_t)0 &&
 >                           pwd->pw_change &&
 >                           pwchangenew - pwd->pw_change < pwtimemin) {
 >                               openpam_log(PAM_LOG_ERROR, "Minimum password age (passwordtimemin) enforced.");
 >                               return (PAM_PERM_DENIED);
 >                       }
 >                       pwd->pw_change = pwchangenew;
 >               } else {
 >                       pwd->pw_change = 0;
 >               }
 >
State-Changed-From-To: patched->closed 
State-Changed-By: des 
State-Changed-When: Fri Apr 27 21:41:11 UTC 2012 
State-Changed-Why:  
fixed and mfced 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93473 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/93473: commit references a PR
Date: Fri, 27 Apr 2012 21:41:01 +0000 (UTC)

 Author: des
 Date: Fri Apr 27 21:40:51 2012
 New Revision: 234741
 URL: http://svn.freebsd.org/changeset/base/234741
 
 Log:
   MFH r203377, r215680, r227044, r227105: mainly, respect passwordtime.
   
   PR:		93310, 93473
 
 Modified:
   stable/8/lib/libpam/modules/pam_unix/pam_unix.8
   stable/8/lib/libpam/modules/pam_unix/pam_unix.c
 
 Modified: stable/8/lib/libpam/modules/pam_unix/pam_unix.8
 ==============================================================================
 --- stable/8/lib/libpam/modules/pam_unix/pam_unix.8	Fri Apr 27 20:23:24 2012	(r234740)
 +++ stable/8/lib/libpam/modules/pam_unix/pam_unix.8	Fri Apr 27 21:40:51 2012	(r234741)
 @@ -188,3 +188,9 @@ password database.
  .Xr pam 8 ,
  .Xr pw 8 ,
  .Xr yp 8
 +.Sh BUGS
 +The
 +.Nm
 +module ignores the
 +.Dv PAM_CHANGE_EXPIRED_AUTHTOK
 +flag.
 
 Modified: stable/8/lib/libpam/modules/pam_unix/pam_unix.c
 ==============================================================================
 --- stable/8/lib/libpam/modules/pam_unix/pam_unix.c	Fri Apr 27 20:23:24 2012	(r234740)
 +++ stable/8/lib/libpam/modules/pam_unix/pam_unix.c	Fri Apr 27 21:40:51 2012	(r234741)
 @@ -50,6 +50,7 @@ __FBSDID("$FreeBSD$");
  #include <string.h>
  #include <stdio.h>
  #include <syslog.h>
 +#include <time.h>
  #include <unistd.h>
  
  #include <libutil.h>
 @@ -80,8 +81,6 @@ static char password_hash[] =		PASSWORD_
  #define PAM_OPT_LOCAL_PASS	"local_pass"
  #define PAM_OPT_NIS_PASS	"nis_pass"
  
 -char *tempname = NULL;
 -
  /*
   * authentication management
   */
 @@ -271,10 +270,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
  	const void *yp_domain, *yp_server;
  #endif
  	char salt[SALTSIZE + 1];
 -	login_cap_t * lc;
 +	login_cap_t *lc;
  	struct passwd *pwd, *old_pwd;
  	const char *user, *old_pass, *new_pass;
  	char *encrypted;
 +	time_t passwordtime;
  	int pfd, tfd, retval;
  
  	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
 @@ -377,11 +377,17 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
  		if ((old_pwd = pw_dup(pwd)) == NULL)
  			return (PAM_BUF_ERR);
  
 -		pwd->pw_change = 0;
  		lc = login_getclass(pwd->pw_class);
  		if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
  			openpam_log(PAM_LOG_ERROR,
  			    "can't set password cipher, relying on default");
 +		
 +		/* set password expiry date */
 +		pwd->pw_change = 0;
 +		passwordtime = login_getcaptime(lc, "passwordtime", 0, 0);
 +		if (passwordtime > 0)
 +			pwd->pw_change = time(NULL) + passwordtime;
 +		
  		login_close(lc);
  		makesalt(salt);
  		pwd->pw_passwd = crypt(new_pass, salt);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
