Patch to fix shadows password expiration
Tomi Leppikangas
tomi.leppikangas at gmail.com
Mon Nov 14 18:53:58 CET 2011
Hi,
I discovered that freeradius doesn't handle shadow password
expiration correctly. It only looks for account expiration date, not
password expiration. Also log entry for account expiration says
incorrectly "password expired". I reported bug to RedHat bugzilla, but
bug seems to be in master tree also.
Bugzilla link:
https://bugzilla.redhat.com/show_bug.cgi?id=753764
--
Tomi Leppikangas
-------------- next part --------------
--- BUILD/freeradius-server-2.1.10/src/modules/rlm_unix/rlm_unix.c-orign 2011-11-14 16:04:38.795620370 +0200
+++ BUILD/freeradius-server-2.1.10/src/modules/rlm_unix/rlm_unix.c 2011-11-14 16:06:46.293616405 +0200
@@ -274,9 +274,17 @@
/*
* Check if password has expired.
*/
+ if (spwd && spwd->sp_lstchg > 0 && spwd->sp_max >= 0 &&
+ (request->timestamp / 86400) > (spwd->sp_lstchg + spwd->sp_max)) {
+ radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name);
+ return RLM_MODULE_REJECT;
+ }
+ /*
+ * Check if account has expired.
+ */
if (spwd && spwd->sp_expire > 0 &&
(request->timestamp / 86400) > spwd->sp_expire) {
- radlog_request(L_AUTH, 0, request, "[%s]: password has expired", name);
+ radlog_request(L_AUTH, 0, request, "[%s]: account has expired", name);
return RLM_MODULE_REJECT;
}
#endif
More information about the Freeradius-Devel
mailing list