diff --git a/Linux-PAM-allow-disabled-password-aging.patch b/Linux-PAM-allow-disabled-password-aging.patch new file mode 100644 index 0000000..dd145a8 --- /dev/null +++ b/Linux-PAM-allow-disabled-password-aging.patch @@ -0,0 +1,31 @@ +From 9ebc14085a3ba253598cfaa0d3f0d76ea5ee8ccb Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Wed, 13 Dec 2023 00:37:29 +0100 +Subject: [PATCH] pam_unix: allow disabled password aging + +According to shadow(5) manual page, an empty sp_lstchg field implies +that password aging is disabled. + +This indeed is in sync with shadow's isexpired function. + +Signed-off-by: Tobias Stoeckmann +--- + modules/pam_unix/passverify.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index a842b70d3..7993737c9 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -311,6 +311,11 @@ PAMH_ARG_DECL(int check_shadow_expiry, + *daysleft = 0; + return PAM_NEW_AUTHTOK_REQD; + } ++ if (spent->sp_lstchg < 0) { ++ D(("password aging disabled")); ++ *daysleft = 0; ++ return PAM_SUCCESS; ++ } + if (curdays < spent->sp_lstchg) { + pam_syslog(pamh, LOG_DEBUG, + "account %s has password changed in future", diff --git a/pam.spec b/pam.spec index 0724d4d..90050d0 100644 --- a/pam.spec +++ b/pam.spec @@ -15,7 +15,7 @@ Summary: A security tool which provides authentication for applications Name: pam Version: 1.6.0 -Release: 1 +Release: 2 Epoch: 1 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, @@ -55,6 +55,9 @@ Patch508: Linux-PAM-0.99.3.0-pamtimestampadm.patch Patch702: Linux-PAM-1.6.0-add-now-missing-nis-constant.patch # (akdengi> add user to default group users which need for Samba Patch801: Linux-PAM-1.1.4-group_add_users.patch +# https://github.com/linux-pam/linux-pam/issues/743 +# https://github.com/linux-pam/linux-pam/commit/9ebc14085a3ba253598cfaa0d3f0d76ea5ee8ccb +Patch802: Linux-PAM-allow-disabled-password-aging.patch %if %{with selinux} BuildRequires: selinux-devel >= 2.1.6-7