-
Bug
-
Resolution: Unresolved
-
Minor
-
rhel-8.10
-
No
-
Low
-
rhel-idm-zta
-
ssg_idm
-
1
-
False
-
False
-
-
None
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
The third field in /etc/shadow represents the time the password was last changed.
When leaving this third field empty, like for instance:
root:$5$9gNQkfBUAvczxqrD$1UDU4z8BuMzLkOK95bqYMy75q6.Y4fg9dd6az4c0MoB::7:360:7:30::
the system (PAM) will treat it as expired password and refuses the login.
The man 5 page says that if the field is empty it should be regarded as not having any expiration.
So one of the two things must be wrong: either the man page is wrong or the implementation is not correct. Please advise/fix this. Thanks in advance.
What is the impact of this issue to you?
We cannot login as root because the login is set as expired.
Please provide the package NVR for which the bug is seen:
How reproducible is this bug?:
Always
Steps to reproduce
- setup an user and ensure the third field in /etc/shadow is empty (:
- configure PAM so that it has expirations in place (4th, 5th, 6th and 7th field)
- it should not be possible to login with that user because expired (even if there is no starting date to start counting from
Expected results
It should be possible to login nonetheless as technically or as mentioned in man page that user should not be regarded as having expired password.
If you think this behavior introduces a regression/security relevant behavior, we think it could also be that the better thing to fix is the man page, so that it's described/stated that when the third field is empty the password is considered expired, always.