SCM

[#1000700] pam_pg expired is logged but users can still log in

View Trackers | Bugs | Download .csv | Monitor

Date:
2006-08-06 12:15
Priority:
3
State:
Open
Submitted by:
Nobody
Assigned to:
Russell Smith (mr-russ)
Category:
Group:
Resolution:
None
 
Summary:
pam_pg expired is logged but users can still log in

Detailed description
I am using pam_pgsql-1.0.0 and have the following configs.

> getpassword = SELECT passwd FROM shadow WHERE username = $1
> changepw = UPDATE shadow SET passwd = $2, lastchange = DEFAULT WHERE username = $1
> isexpired = SELECT 1 FROM shadow WHERE user = $1 AND NOT expire IS NULL AND NOT (to_number(to_char(now(), 'J'::text), '99999999'::text) - to_number(to_char(('1970-01-01'::date)::timestamp with time zone, 'J'::text), '99999999'::text)) < expire
> newpassrequired = SELECT 1 FROM shadow WHERE user = $1 AND lastchange + max < (to_number(to_char(now(), 'J'::text), '99999999'::text) - to_number(to_char(('1970-01-01'::date)::timestamp with time zone, 'J'::text), '99999999'::text))
> pw_type = crypt
> debug

There is a big SQL thing that translates NOW() into the number format used by pam. This works fine and newpassrequired and isexpired resolv well. When i log in with an passwdreq account i have to choose a new password. That is fine. But when i log in with an expired account it succeeds. In the logs i find

> (pam_unix) account xyz has expired (account expired)

Shouldnt that lead to PAM_AUTH_ERR?

Another funny thing is that pam_unix says that, since pam_unix should not even know about that user.

here my pam config:

> auth required pam_nologin.so
> auth required pam_env.so
> auth sufficient pam_unix.so nullok_secure
> auth sufficient pam_pgsql.so use_first_pass
> auth required pam_deny.so

> account sufficient /lib/security/pam_unix.so
> account sufficient /lib/security/pam_pgsql.so

> password sufficient pam_pgsql.so use_authtok
> password sufficient pam_unix.so nullok obscure min=4 max=8 md5

> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session required pam_unix.so

Followup

Message
Date: 2007-04-25 06:59
Sender: Russell Smith

PAM unix does know about it, as pam_unix.so uses nss to lookup usernames and passwords. You can used just pgsql_nss if you don't want to be able to change passwords.

I am unsure about the way pam and expired passwords work, but I will investigate unless you have more information.

Attached Files:

Changes:

Field Old Value Date By
assigned_tonone2007-04-25 06:59mr-russ
Powered By FusionForge