[Pkg-shadow-devel] Bug#514437: chage -m / passwd -n (--mindays) have no effect (Lenny)

Nicolas François nicolas.francois at centraliens.net
Sun Feb 8 21:09:24 UTC 2009

reassign 514437 libpam-modules
tags 514437 security


On Sat, Feb 07, 2009 at 04:37:10PM +0100, lienesch.gag at ewetel.net wrote:
> After typing e.g.
>   chage -m 10000 <user> 
> as root the user is still allowed to change his password.
> The MINDAYS-Field in /etc/shadow shows the correct value after the command above 
> but it has no effect.

Thanks for reporting this.

Looking at the PAM sources (greping for sp_min), it seems that PAM does
not use this field anymore.

I had a look at PAM 0.79, and this was one check in _unix_verify_shadow,
called from pam_sm_chauthtok.
			if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min))
			    && (spwdent->sp_min != -1))
				retval = PAM_AUTHTOK_ERR;

pam_sm_chauthtok still calls _unix_verify_shadow.
_unix_verify_shadow calls _unix_run_verify_binary and check_shadow_expiry
but those are used by pam_sm_acct_mgmt so the above check cannot be added

I did not change the severity of the bug, but I wonder if it should not be
considered for Lenny.

sp_min is part of the security policy for passwords (it can be used to
forbid users changing their password immediately back to the previous

Best Regards,

More information about the Pkg-shadow-devel mailing list