From 9ebc14085a3ba253598cfaa0d3f0d76ea5ee8ccb Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Wed, 13 Dec 2023 00:37:29 +0100
Subject: pam_unix: allow disabled password aging

According to shadow(5) manual page, an empty sp_lstchg field implies
that password aging is disabled.

This indeed is in sync with shadow's isexpired function.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 modules/pam_unix/passverify.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'modules/pam_unix/passverify.c')

diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index a842b70d..7993737c 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -311,6 +311,11 @@ PAMH_ARG_DECL(int check_shadow_expiry,
 		*daysleft = 0;
 		return PAM_NEW_AUTHTOK_REQD;
 	}
+	if (spent->sp_lstchg < 0) {
+		D(("password aging disabled"));
+		*daysleft = 0;
+		return PAM_SUCCESS;
+	}
 	if (curdays < spent->sp_lstchg) {
 		pam_syslog(pamh, LOG_DEBUG,
 			 "account %s has password changed in future",
-- 
cgit v1.2.3