[#1000700] pam_pg expired is logged but users can still log in

View Trackers | Bugs | Download .csv | Monitor

2006-08-06 12:15
Submitted by:
Assigned to:
Russell Smith (mr-russ)
pam_pg expired is logged but users can still log in

Detailed description
I am using pam_pgsql-1.0.0 and have the following configs.

> getpassword = SELECT passwd FROM shadow WHERE username = $1
> changepw = UPDATE shadow SET passwd = $2, lastchange = DEFAULT WHERE username = $1
> isexpired = SELECT 1 FROM shadow WHERE user = $1 AND NOT expire IS NULL AND NOT (to_number(to_char(now(), 'J'::text), '99999999'::text) - to_number(to_char(('1970-01-01'::date)::timestamp with time zone, 'J'::text), '99999999'::text)) < expire
> newpassrequired = SELECT 1 FROM shadow WHERE user = $1 AND lastchange + max < (to_number(to_char(now(), 'J'::text), '99999999'::text) - to_number(to_char(('1970-01-01'::date)::timestamp with time zone, 'J'::text), '99999999'::text))
> pw_type = crypt
> debug

There is a big SQL thing that translates NOW() into the number format used by pam. This works fine and newpassrequired and isexpired resolv well. When i log in with an passwdreq account i have to choose a new password. That is fine. But when i log in with an expired account it succeeds. In the logs i find

> (pam_unix) account xyz has expired (account expired)

Shouldnt that lead to PAM_AUTH_ERR?

Another funny thing is that pam_unix says that, since pam_unix should not even know about that user.

here my pam config:

> auth required
> auth required
> auth sufficient nullok_secure
> auth sufficient use_first_pass
> auth required

> account sufficient /lib/security/
> account sufficient /lib/security/

> password sufficient use_authtok
> password sufficient nullok obscure min=4 max=8 md5

> session required skel=/etc/skel/ umask=0022
> session required


Date: 2007-04-25 06:59
Sender: Russell Smith

PAM unix does know about it, as uses nss to lookup usernames and passwords. You can used just pgsql_nss if you don't want to be able to change passwords.

I am unsure about the way pam and expired passwords work, but I will investigate unless you have more information.

Attached Files:


Field Old Value Date By
assigned_tonone2007-04-25 06:59mr-russ
Powered By FusionForge