[Pkg-shadow-devel] Bug#321384: su refuses to change an expired
password for root
Volker Westphal
volker.westphal at de.ibm.com
Fri Aug 5 07:27:17 UTC 2005
Package: login
Version: 1:4.0.3-31sarge5
I configured password aging on a freshly Installation of Sarge.
When I use ssh to log into an user account with an expired password,
I'm forced to change the password like this:
Using username "westphal".
Linux wiesel 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux
Last login: Tue Aug 2 09:08:16 2005 from 10.222.16.227
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for westphal
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
This is the expected behaviour. It even works for a direct login into
the root account (sshd configured to "PermitRootLogin yes".)
However, when I try to "su" to an expired root account, it refuses
to change the password:
root at wiesel:~# passwd -x 10 -i 99999 root
westphal at wiesel:~$ su -
Password:
You are required to change your password immediately (password aged)
su: Authentication token is no longer valid; new one required.
Sorry.
On a system where "su" is the only way to become root, this would
mean a locked out root account. Imagine a remote system with
sshd configured to "PermitRootLogin no" and no direct console access.
Here is my configuration file /etc/pam.d/su, with @includes removed
for clarity:
auth sufficient pam_rootok.so
auth required pam_unix.so nullok_secure
account required pam_unix.so
password required pam_unix.so use_authtok nullok
session required pam_unix.so
The expected behaviour would be to immediately request the user to
change the password like for the direct logins.
Looking in su.c I found the following comment:
/*
* Check to see if the account is expired. root gets to ignore any
* expired accounts, but normal users can't become a user with an
* expired password.
*/
IMHO this implementation of su confuses "expired" (passwd -e user)
and "inactive" (passwd -l user) passwords. An expired password is not
invalid, it is just marked for an immediate change. I see no reason
why su should deny access to such an account.
Regard,
Mit freundlichen Grüßen,
Volker Westphal
SO NSD Design,Build,Implement&Run
Security Services Financial Customers
IBM Business Services GmbH
... an IBM Global Services Company
--------------------------------------
Wilhelm-Fay-Straße 30 - 34, 65936 Frankfurt
Tel.: +49 (0) 69/6645-5056
E-Mail: volker.westphal at de.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20050805/34f91334/attachment.htm
More information about the Pkg-shadow-devel
mailing list