Red Hat Bugzilla – Bug 69279
forced password change (last change = 0) trumps expired account
Last modified: 2007-04-18 12:44:18 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.79 [en] (Windows NT 5.0; U)
Description of problem:
If an account has the last password change set to the epoch to force a password change, *and* the accounf's expiration date has passed,
changing the password allows the user to log in.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. chage <user> -d 0 -E <yesterday's date>
2. login as <user>
3. change password as instructed
Actual Results: Shell prompt (as user).
Expected Results: Your account has expired. Please contact your system administrator.
I think an expired account should take precedence over a forced password change. There's no point in allowing someone to change their
password if they're not supposed to be able to log in.
Created attachment 66264 [details]
proposed patch to fix this bug
Thanks, applied to upstream PAM CVS.