reassign 514437 libpam-modules tags 514437 security thanks
Hello, On Sat, Feb 07, 2009 at 04:37:10PM +0100, lienesch....@ewetel.net wrote: > > After typing e.g. > > chage -m 10000 <user> > > as root the user is still allowed to change his password. > > The MINDAYS-Field in /etc/shadow shows the correct value after the command > above > but it has no effect. Thanks for reporting this. Looking at the PAM sources (greping for sp_min), it seems that PAM does not use this field anymore. I had a look at PAM 0.79, and this was one check in _unix_verify_shadow, called from pam_sm_chauthtok. if ((curdays < (spwdent->sp_lstchg + spwdent->sp_min)) && (spwdent->sp_min != -1)) retval = PAM_AUTHTOK_ERR; pam_sm_chauthtok still calls _unix_verify_shadow. _unix_verify_shadow calls _unix_run_verify_binary and check_shadow_expiry but those are used by pam_sm_acct_mgmt so the above check cannot be added there. I did not change the severity of the bug, but I wonder if it should not be considered for Lenny. sp_min is part of the security policy for passwords (it can be used to forbid users changing their password immediately back to the previous password). Best Regards, -- Nekral -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org