Bugs
Search the entire project
This project's trackers
This project's forums
This project's releases
This project's news
Project
People
Skill
Advanced search
Log In
|
New Account
Home
My Page
Projects
Code Snippets
Project Openings
NSS and PAM Modules
Summary
Activity
Forums
Tracker
Lists
News
SCM
Files
[#1000700] pam_pg expired is logged but users can still log in
View Trackers
|
Bugs
|
Download .csv
|
Monitor
Date:
2006-08-06 12:15
Priority:
3
State:
Open
Submitted by:
Nobody
Assigned to:
Russell Smith (mr-russ)
Category:
Group:
Resolution:
None
Summary:
pam_pg expired is logged but users can still log in
Detailed description
I am using pam_pgsql-1.0.0 and have the following configs.
> getpassword = SELECT passwd FROM shadow WHERE username = $1
> changepw = UPDATE shadow SET passwd = $2, lastchange = DEFAULT WHERE username = $1
> isexpired = SELECT 1 FROM shadow WHERE user = $1 AND NOT expire IS NULL AND NOT (to_number(to_char(now(), 'J'::text), '99999999'::text) - to_number(to_char(('1970-01-01'::date)::timestamp with time zone, 'J'::text), '99999999'::text)) < expire
> newpassrequired = SELECT 1 FROM shadow WHERE user = $1 AND lastchange + max < (to_number(to_char(now(), 'J'::text), '99999999'::text) - to_number(to_char(('1970-01-01'::date)::timestamp with time zone, 'J'::text), '99999999'::text))
> pw_type = crypt
> debug
There is a big SQL thing that translates NOW() into the number format used by pam. This works fine and newpassrequired and isexpired resolv well. When i log in with an passwdreq account i have to choose a new password. That is fine. But when i log in with an expired account it succeeds. In the logs i find
> (pam_unix) account xyz has expired (account expired)
Shouldnt that lead to PAM_AUTH_ERR?
Another funny thing is that pam_unix says that, since pam_unix should not even know about that user.
here my pam config:
> auth required pam_nologin.so
> auth required pam_env.so
> auth sufficient pam_unix.so nullok_secure
> auth sufficient pam_pgsql.so use_first_pass
> auth required pam_deny.so
> account sufficient /lib/security/pam_unix.so
> account sufficient /lib/security/pam_pgsql.so
> password sufficient pam_pgsql.so use_authtok
> password sufficient pam_unix.so nullok obscure min=4 max=8 md5
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session required pam_unix.so
Followup
Message
Date: 2007-04-25 06:59
Sender:
Russell Smith
PAM unix does know about it, as pam_unix.so uses nss to lookup usernames and passwords. You can used just pgsql_nss if you don't want to be able to change passwords.
I am unsure about the way pam and expired passwords work, but I will investigate unless you have more information.
Attached Files:
Changes:
Field
Old Value
Date
By
assigned_to
none
2007-04-25 06:59
mr-russ
