In /etc/login.conf ( login.conf(5) ) there is a setting called warnpassword that is used to set the amount of time before password expiration during which the user should get a warning upon login. However, under normal circumstances, this warning isn't displayed.
In the source code for pam_unix(8) it shows the following:
The problem is that under normal circumstances, the login(1) program sets the PAM_SILENT flag in getloginname():
(nbuf holds the entered username)
A normal username will run the PAM modules with PAM_SILENT set, so warning messages will never be displayed. But if I prefix the username with a hyphen, I do see the warning message! (And any other PAM messages, I expect.) Is this a known "feature" of username entry? Am I missing some other setting that will allow a user doing a normal login to see the expiration warning message?
In the source code for pam_unix(8) it shows the following:
Code:
if (pwd->pw_change) {
warntime = login_getcaptime(lc, "warnpassword",
DEFAULT_WARN, DEFAULT_WARN);
if (tp.tv_sec >= pwd->pw_change) {
retval = PAM_NEW_AUTHTOK_REQD;
} else if (pwd->pw_change - tp.tv_sec < warntime &&
(flags & PAM_SILENT) == 0) {
pam_error(pamh, "Warning: your password expires on %s",
ctime(&pwd->pw_change));
}
}
The problem is that under normal circumstances, the login(1) program sets the PAM_SILENT flag in getloginname():
Code:
if (nbuf[0] == '-') {
pam_silent = 0;
memmove(nbuf, nbuf + 1, strlen(nbuf));
} else {
pam_silent = PAM_SILENT;
}
(nbuf holds the entered username)
A normal username will run the PAM modules with PAM_SILENT set, so warning messages will never be displayed. But if I prefix the username with a hyphen, I do see the warning message! (And any other PAM messages, I expect.) Is this a known "feature" of username entry? Am I missing some other setting that will allow a user doing a normal login to see the expiration warning message?