[Pkg-shadow-devel] Bug#321384: su refuses to change an expired password for root

Volker Westphal volker.westphal at de.ibm.com
Fri Aug 5 07:27:17 UTC 2005 

Package: login
Version: 1:4.0.3-31sarge5

I configured password aging on a freshly Installation of Sarge.
When I use ssh to log into an user account with an expired password, 
I'm forced to change the password like this:

  Using username "westphal".
  Linux wiesel 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux
  Last login: Tue Aug  2 09:08:16 2005 from 10.222.16.227
  WARNING: Your password has expired.
  You must change your password now and login again!
  Changing password for westphal
  (current) UNIX password:
  New UNIX password:
  Retype new UNIX password:

This is the expected behaviour. It even works for a direct login into 
the root account (sshd configured to "PermitRootLogin yes".) 

However, when I try to "su" to an expired root account, it refuses 
to change the password: 

  root at wiesel:~# passwd -x 10 -i 99999 root

  westphal at wiesel:~$ su -
  Password:
  You are required to change your password immediately (password aged)
  su: Authentication token is no longer valid; new one required.
  Sorry.
 
On a system where "su" is the only way to become root, this would
mean a locked out root account. Imagine a remote system with 
sshd configured to "PermitRootLogin no" and no direct console access.

Here is my configuration file /etc/pam.d/su, with @includes removed
for clarity:

  auth     sufficient      pam_rootok.so
  auth     required        pam_unix.so nullok_secure
  account  required        pam_unix.so
  password required        pam_unix.so use_authtok nullok
  session  required        pam_unix.so
 
The expected behaviour would be to immediately request the user to
change the password like for the direct logins. 

Looking in su.c I found the following comment:

  /*
   * Check to see if the account is expired. root gets to ignore any
   * expired accounts, but normal users can't become a user with an
   * expired password.
   */

IMHO this implementation of su confuses "expired" (passwd -e user) 
and "inactive" (passwd -l user) passwords. An expired password is not
invalid, it is just marked for an immediate change. I see no reason 
why su should deny access to such an account.



Regard,

Mit freundlichen Grüßen,

Volker Westphal
SO NSD Design,Build,Implement&Run
Security Services Financial Customers
IBM Business Services GmbH
... an IBM Global Services Company
--------------------------------------
Wilhelm-Fay-Straße 30 - 34, 65936 Frankfurt
Tel.:         +49 (0) 69/6645-5056
E-Mail:     volker.westphal at de.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20050805/34f91334/attachment.htm

More information about the Pkg-shadow-devel mailing list