• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

login program inhibits "Password Expired" messages

AncientGeek

New Member


Messages: 5

#1
In /etc/login.conf ( login.conf(5) ) there is a setting called warnpassword that is used to set the amount of time before password expiration during which the user should get a warning upon login. However, under normal circumstances, this warning isn't displayed.

In the source code for pam_unix(8) it shows the following:
Code:
    if (pwd->pw_change) {
       warntime = login_getcaptime(lc, "warnpassword",
           DEFAULT_WARN, DEFAULT_WARN);
       if (tp.tv_sec >= pwd->pw_change) {
           retval = PAM_NEW_AUTHTOK_REQD;
       } else if (pwd->pw_change - tp.tv_sec < warntime &&
           (flags & PAM_SILENT) == 0) {
           pam_error(pamh, "Warning: your password expires on %s",
               ctime(&pwd->pw_change));
       }
   }
The problem is that under normal circumstances, the login(1) program sets the PAM_SILENT flag in getloginname():

Code:
    if (nbuf[0] == '-') {
       pam_silent = 0;
       memmove(nbuf, nbuf + 1, strlen(nbuf));
   } else {
       pam_silent = PAM_SILENT;
   }
(nbuf holds the entered username)

A normal username will run the PAM modules with PAM_SILENT set, so warning messages will never be displayed. But if I prefix the username with a hyphen, I do see the warning message! (And any other PAM messages, I expect.) Is this a known "feature" of username entry? Am I missing some other setting that will allow a user doing a normal login to see the expiration warning message?