Re: minimum number of days between password change
Camaleón wrote:
> On Mon, 01 Nov 2010 21:35:20 +0000, Wolodja Wentland wrote:
>
>> On Mon, Nov 01, 2010 at 12:49 -0500, Ron Johnson wrote:
>
>>>> However, I'm able to change my password when logged in as guest as
>>>> many times I want the same day
>>> If someone learns my password on day 2, they have full access to my
>>> account for 74 days, or I must beg for SysAdmin help?
>>> "Minimum number of days" isn't a very bright idea.
>> I completely agree¹, but this policy should still be enforced or it has
>> to be made clear that this setting is deprecated and no longer enforced.
>
> +1 for the enforcement.
>
>> --- chage manpage ---
>> -m, --mindays MIN_DAYS
>
> (...)
>
>> … which is clearly not working in the way it is described. I have not
>> reproduced this bug myself, but it is exactly that and should therefore
>> be reported - not by posting to d-d - but rather by executing "reportbug
>> passwd".
>
> I've tried in a lenny box and faced the same behaviour than the OP. Maybe
> the new policy is to be applied _a day after_ the change or it should be
> enforced _as soon as_ changed? Is a "passwd" error (not reading/applying
> "/etc/shadow" mandate) or a "chage" one? :-?
>
> Greetings,
>
Even if the discussion to this topic shows that the mindays option of
chage might not be very useful in most cases, it doesn't work as it should.
I would like to file a new bug report, but I'm not sure against which
package. I'm considering either passwd or libpam-modules. I think
that I should choose the libpam-modules package, because my passwd
command uses PAM and is configured as follows:
> cat /etc/pam.d/passwd
@include common-password
> cat /etc/pam.d/common-password
password required pam_cracklib.so retry=3 difok=3 minlen=12
lcredit=0 ocredit=2 minclass=3
password required pam_unix.so use_authtok md5 remember=6
I suppose that the pam_unix.so library/module should check the aging
information in /etc/shadow before changing the password in this file.
Am I right?
Reply to: