[Pkg-shadow-devel] Bug#514437: chage -m / passwd -n (--mindays) have no effect (Lenny)
nicolas.francois at centraliens.net
Sun Feb 8 21:09:24 UTC 2009
reassign 514437 libpam-modules
tags 514437 security
On Sat, Feb 07, 2009 at 04:37:10PM +0100, lienesch.gag at ewetel.net wrote:
> After typing e.g.
> chage -m 10000 <user>
> as root the user is still allowed to change his password.
> The MINDAYS-Field in /etc/shadow shows the correct value after the command above
> but it has no effect.
Thanks for reporting this.
Looking at the PAM sources (greping for sp_min), it seems that PAM does
not use this field anymore.
I had a look at PAM 0.79, and this was one check in _unix_verify_shadow,
called from pam_sm_chauthtok.
if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min))
&& (spwdent->sp_min != -1))
retval = PAM_AUTHTOK_ERR;
pam_sm_chauthtok still calls _unix_verify_shadow.
_unix_verify_shadow calls _unix_run_verify_binary and check_shadow_expiry
but those are used by pam_sm_acct_mgmt so the above check cannot be added
I did not change the severity of the bug, but I wonder if it should not be
considered for Lenny.
sp_min is part of the security policy for passwords (it can be used to
forbid users changing their password immediately back to the previous
More information about the Pkg-shadow-devel