Hi, Nicolas! On Mon, Mar 28, 2005 at 01:24:04AM +0200, Nicolas FranÃois wrote: > > If the user has the expiry field[0] set to 0 in /etc/shadow, the passwd > > command treats it as an expired account[1] whereas chage[2] displays > > that it will never expire. Removing the 0 to make the field empty makes > > passwd[3] and chage[2] accept it. I can ssh in with openssh. ... > su consider the password will never expire, as chage. > passwd consider it has expired. ... > > This did not happen in Debian 2.1. In Red Hat 7.0 you can neither su to > > the account (from non-root), run passwd nor login with openssh. > > > > The question is.. what's right? is 0 disabled or enabled? Just lack of > > good spec?
IMHO, the right way is to treat the semanthics of shadow's 8th field literally. I.e. value of 0 should mean that account expires Jan 1, 1970. Period. Everything else should be fixed accordingly. Debian 2.1 and RH7.0 did the things right in this aspect. > That is the question, and the reason why I'm CCing the Debian PAM > maintainer. > Maybe Tomasz, you can also help on this issue. Tomasz could consult us about Solaris behavior with regard to these matters. ;) > Is there a specification on the expiry field? I'd love to know, too... > IMHO PAM is standardized by the Open Group, but > to what extend? I would not rely upon "PAM specification" :-/. > Currently, the best solution I can see is to document the fact that an > expiry field of 0 means the password never expire With this you propose to kill any distinction between 0 value in the 8th shadow filed and _no_ _value_ in it. // None vs. 0 concept None == no expiration 0 == earliest possible expiration -- WBR, xrgtn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
