login.conf(5) describes a non-implemented feature that allows you to set a password expiry date that will be applied every time a user of the login class changes his password. The patch below add this functionality to pam_unix(8) and updates login.conf(5) accordingly. In fact these lines are stolen from src/release/picobsd/tinyware/passwd/local_passwd.c
Responsible Changed From-To: freebsd-bugs->des Assign to maintainer.
Hi, We are using this patch on few recent 7-stable (FreeBSD 7.2-STABLE) and = it works like a charm. Can you commit this please? -- Best Wishes, Stefan Lambrev ICQ# 24134177
Author: des Date: Tue Feb 2 13:47:18 2010 New Revision: 203377 URL: http://svn.freebsd.org/changeset/base/203377 Log: Respect passwordtime from login.conf if set. PR: bin/93473 Submitted by: Björn König <bkoenig@cs.tu-berlin.de> MFC after: 1 week Modified: head/lib/libpam/modules/pam_unix/pam_unix.c Modified: head/lib/libpam/modules/pam_unix/pam_unix.c ============================================================================== --- head/lib/libpam/modules/pam_unix/pam_unix.c Tue Feb 2 11:09:28 2010 (r203376) +++ head/lib/libpam/modules/pam_unix/pam_unix.c Tue Feb 2 13:47:18 2010 (r203377) @@ -271,10 +271,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int const void *yp_domain, *yp_server; #endif char salt[SALTSIZE + 1]; - login_cap_t * lc; + login_cap_t *lc; struct passwd *pwd, *old_pwd; const char *user, *old_pass, *new_pass; char *encrypted; + time_t passwordtime; int pfd, tfd, retval; if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) @@ -377,11 +378,17 @@ pam_sm_chauthtok(pam_handle_t *pamh, int if ((old_pwd = pw_dup(pwd)) == NULL) return (PAM_BUF_ERR); - pwd->pw_change = 0; lc = login_getclass(pwd->pw_class); if (login_setcryptfmt(lc, password_hash, NULL) == NULL) openpam_log(PAM_LOG_ERROR, "can't set password cipher, relying on default"); + + /* set password expiry date */ + pwd->pw_change = 0; + passwordtime = login_getcaptime(lc, "passwordtime", 0, 0); + if (passwordtime > 0) + pwd->pw_change = time(NULL) + passwordtime; + login_close(lc); makesalt(salt); pwd->pw_passwd = crypt(new_pass, salt); _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: open->patched Similar patch committed, awaiting MFC
I see that this change has still not been committed. May I suggest that the change committed also incorporate the capability to specify/enforce a minimum password age (required by some government policies and most other operating systems have this capability already). I have included source below which addresses both the requirements for a max and min password age. [root@dev /usr/src/lib/libpam/modules/pam_unix]# diff pam_unix.c.orig pam_unix.c 380d379 < pwd->pw_change = 0; 381a381,398 > > time_t pwtime, pwtimemin, pwchangenew; > pwtime = login_getcaptime(lc, "passwordtime", 0, 0); > pwtimemin = login_getcaptime(lc, "passwordtimemin", 0, 0); > > if (pwtime > (time_t)0) { > pwchangenew = time(NULL) + pwtime; > if (pwtimemin > (time_t)0 && > pwd->pw_change && > pwchangenew - pwd->pw_change < pwtimemin) { > openpam_log(PAM_LOG_ERROR, "Minimum password age (passwordtimemin) enforced."); > return (PAM_PERM_DENIED); > } > pwd->pw_change = pwchangenew; > } else { > pwd->pw_change = 0; > } >
Author: des Date: Fri Apr 27 21:40:51 2012 New Revision: 234741 URL: http://svn.freebsd.org/changeset/base/234741 Log: MFH r203377, r215680, r227044, r227105: mainly, respect passwordtime. PR: 93310, 93473 Modified: stable/8/lib/libpam/modules/pam_unix/pam_unix.8 stable/8/lib/libpam/modules/pam_unix/pam_unix.c Modified: stable/8/lib/libpam/modules/pam_unix/pam_unix.8 ============================================================================== --- stable/8/lib/libpam/modules/pam_unix/pam_unix.8 Fri Apr 27 20:23:24 2012 (r234740) +++ stable/8/lib/libpam/modules/pam_unix/pam_unix.8 Fri Apr 27 21:40:51 2012 (r234741) @@ -188,3 +188,9 @@ password database. .Xr pam 8 , .Xr pw 8 , .Xr yp 8 +.Sh BUGS +The +.Nm +module ignores the +.Dv PAM_CHANGE_EXPIRED_AUTHTOK +flag. Modified: stable/8/lib/libpam/modules/pam_unix/pam_unix.c ============================================================================== --- stable/8/lib/libpam/modules/pam_unix/pam_unix.c Fri Apr 27 20:23:24 2012 (r234740) +++ stable/8/lib/libpam/modules/pam_unix/pam_unix.c Fri Apr 27 21:40:51 2012 (r234741) @@ -50,6 +50,7 @@ __FBSDID("$FreeBSD$"); #include <string.h> #include <stdio.h> #include <syslog.h> +#include <time.h> #include <unistd.h> #include <libutil.h> @@ -80,8 +81,6 @@ static char password_hash[] = PASSWORD_ #define PAM_OPT_LOCAL_PASS "local_pass" #define PAM_OPT_NIS_PASS "nis_pass" -char *tempname = NULL; - /* * authentication management */ @@ -271,10 +270,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int const void *yp_domain, *yp_server; #endif char salt[SALTSIZE + 1]; - login_cap_t * lc; + login_cap_t *lc; struct passwd *pwd, *old_pwd; const char *user, *old_pass, *new_pass; char *encrypted; + time_t passwordtime; int pfd, tfd, retval; if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) @@ -377,11 +377,17 @@ pam_sm_chauthtok(pam_handle_t *pamh, int if ((old_pwd = pw_dup(pwd)) == NULL) return (PAM_BUF_ERR); - pwd->pw_change = 0; lc = login_getclass(pwd->pw_class); if (login_setcryptfmt(lc, password_hash, NULL) == NULL) openpam_log(PAM_LOG_ERROR, "can't set password cipher, relying on default"); + + /* set password expiry date */ + pwd->pw_change = 0; + passwordtime = login_getcaptime(lc, "passwordtime", 0, 0); + if (passwordtime > 0) + pwd->pw_change = time(NULL) + passwordtime; + login_close(lc); makesalt(salt); pwd->pw_passwd = crypt(new_pass, salt); _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: patched->closed fixed and mfced