diff options
| author | Dmitry V. Levin <ldv@altlinux.org> | 2021-06-10 14:00:00 +0000 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@altlinux.org> | 2021-06-10 14:00:00 +0000 |
| commit | 980d90c9232fe5325d1a4deddd42c597cf9e1a54 (patch) | |
| tree | 7b66e60d8f9fc9d6ec3d27cde4b011bcbb2cabf2 | |
| parent | bd76c538ef4747912733458a5d9e645424ea93fb (diff) | |
| download | pam-980d90c9232fe5325d1a4deddd42c597cf9e1a54.tar.gz pam-980d90c9232fe5325d1a4deddd42c597cf9e1a54.tar.bz2 pam-980d90c9232fe5325d1a4deddd42c597cf9e1a54.zip | |
pam_unix: do not use crypt_checksalt when checking for password expiration
According to Zack Weinberg, the intended meaning of
CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
method", it is not supposed to mean "force a password change on next
login for any user with an existing stored hash using this method".
This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
* modules/pam_unix/passverify.c (check_shadow_expiry)
[CRYPT_CHECKSALT_AVAILABLE]: Remove.
Closes: https://github.com/linux-pam/linux-pam/issues/367
| -rw-r--r-- | modules/pam_unix/passverify.c | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index f6132f80..5a19ed85 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry, D(("account expired")); return PAM_ACCT_EXPIRED; } -#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE - if (spent->sp_lstchg == 0 || - crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY || - crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) { -#else if (spent->sp_lstchg == 0) { -#endif D(("need a new password")); *daysleft = 0; return PAM_NEW_AUTHTOK_REQD; |