Remove support for shadow(5)'s sp_min

[alejandro-colomar]

Password expiry was deprecated in 4.19.

sp_min (password minimum age) doesn't seem to be regulated, so it seems we can remove it already.

Link: #1432

---

Revisions:

v1b

• Rebase

$ git rd 
1:  d23f4fd515f2 = 1:  cedee3d5c4fb src/chage.c: Remove interactive -m
2:  df14c804a6a7 = 2:  aa27a3c7d6f5 */: chage(1): -m,--mindays: Remove option
3:  66cf7e9ab2ec = 3:  99023e27937c */: passwd(1): -n,--mindays: Remove option
4:  dacb4880dd83 ! 4:  ba480ec8b60e */: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
    @@ man/login.defs.5.xml
            HOME_MODE
     -      PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
     +      PASS_MAX_DAYS PASS_WARN_AGE
    -       <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
    -       SHA_CRYPT_MIN_ROUNDS</phrase>
    +       SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
            SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
    +       SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
     @@
        <term>pwck</term>
        <listitem>
5:  c8f041d71528 = 5:  61639063c123 */: shadow(5): sp_min: Ignore field, and clear it

v2

• Rebase

$ git rd 
1:  cedee3d5 = 1:  76082f17 src/chage.c: Remove interactive -m
2:  aa27a3c7 ! 2:  36d2615f */: chage(1): -m,--mindays: Remove option
    @@ tests/chage/16_chage-m_no_shadow_entry/config/etc/login.defs (deleted)
     -#
     -#CONSOLE_GROUPS           floppy:audio:cdrom
     -
    --#
    --# Only works if compiled with MD5_CRYPT defined:
    --# If set to "yes", new passwords will be encrypted using the MD5-based
    --# algorithm compatible with the one used by recent releases of FreeBSD.
    --# It supports passwords of unlimited length and longer salt strings.
    --# Set to "no" if you need to copy encrypted passwords to other systems
    --# which don't understand the new algorithm.  Default is "no".
    --#
    --# This variable is used by chpasswd, gpasswd and newusers.
    --#
    --#MD5_CRYPT_ENAB   no
    --
     -################# OBSOLETED BY PAM ##############
     -#                                         #
     -# These options are now handled by PAM. Please    #
3:  99023e27 = 3:  feb66370 */: passwd(1): -n,--mindays: Remove option
4:  ba480ec8 ! 4:  b5f6d93a */: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
    @@ man/login.defs.5.xml
              existing accounts.
     @@
            GID_MAX GID_MIN
    -       MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
    +       MAX_MEMBERS_PER_GROUP
            HOME_MODE
     -      PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
     +      PASS_MAX_DAYS PASS_WARN_AGE
    @@ man/login.defs.d/PASS_MIN_DAYS.xml (deleted)
     
      ## man/newusers.8.xml ##
     @@
    + <!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
      <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
    - <!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
      <!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
     -<!ENTITY PASS_MIN_DAYS         SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
      <!ENTITY PASS_WARN_AGE         SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
    @@ tests/chroot/usermod/01_usermod--root/config_chroot/etc/login.defs: UMASK                022
      
      #
     
    - ## tests/crypt/login.defs_DES-MD5_CRYPT_ENAB/config/etc/login.defs ##
    -@@ tests/crypt/login.defs_DES-MD5_CRYPT_ENAB/config/etc/login.defs: KILLCHAR       025
    - # Password aging controls:
    - #
    - # PASS_MAX_DAYS   Maximum number of days a password may be used.
    --# PASS_MIN_DAYS   Minimum number of days allowed between password changes.
    - # PASS_WARN_AGE   Number of days warning given before a password expires.
    - #
    - PASS_MAX_DAYS     99999
    --PASS_MIN_DAYS     0
    - PASS_WARN_AGE     7
    - 
    - #
    -
      ## tests/crypt/login.defs_DES/config/etc/login.defs ##
     @@ tests/crypt/login.defs_DES/config/etc/login.defs: KILLCHAR      025
      # Password aging controls:
    @@ tests/crypt/login.defs_MD5/config/etc/login.defs: KILLCHAR       025
      
      #
     
    - ## tests/crypt/login.defs_MD5_CRYPT_ENAB/config/etc/login.defs ##
    -@@ tests/crypt/login.defs_MD5_CRYPT_ENAB/config/etc/login.defs: KILLCHAR   025
    - # Password aging controls:
    - #
    - # PASS_MAX_DAYS   Maximum number of days a password may be used.
    --# PASS_MIN_DAYS   Minimum number of days allowed between password changes.
    - # PASS_WARN_AGE   Number of days warning given before a password expires.
    - #
    - PASS_MAX_DAYS     99999
    --PASS_MIN_DAYS     0
    - PASS_WARN_AGE     7
    - 
    - #
    -
      ## tests/crypt/login.defs_SHA256-round-max/config/etc/login.defs ##
     @@ tests/crypt/login.defs_SHA256-round-max/config/etc/login.defs: KILLCHAR 025
      # Password aging controls:
5:  61639063 ! 5:  8bbd9705 */: shadow(5): sp_min: Ignore field, and clear it
    @@ src/passwd.c: static void check_password (const struct passwd *pw, const struct
     -                  (void) fprintf (stderr,
     -                                  _("The password for %s cannot be changed yet.\n"),
     -                                  sp->sp_namp);
    --                  SYSLOG ((LOG_WARN, "now < minimum age for '%s'", sp->sp_namp));
    +-                  SYSLOG(LOG_WARN, "now < minimum age for '%s'", sp->sp_namp);
     -                  closelog ();
     -                  fail_exit(E_NOPERM, process_selinux);
     -          }

v2b

• Rebase

$ git rd 
1:  76082f17 = 1:  3aad7591 src/chage.c: Remove interactive -m
2:  36d2615f = 2:  f4ad4227 */: chage(1): -m,--mindays: Remove option
3:  feb66370 = 3:  0daeea49 */: passwd(1): -n,--mindays: Remove option
4:  b5f6d93a ! 4:  e757346e */: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
    @@ man/login.defs.5.xml
            &PASS_MAX_DAYS;
     -      &PASS_MIN_DAYS;
            &PASS_WARN_AGE;
    -       <para> 
    +       <para>
     -        <option>PASS_MAX_DAYS</option>, <option>PASS_MIN_DAYS</option> and
     +        <option>PASS_MAX_DAYS</option>, and
              <option>PASS_WARN_AGE</option> are only used at the
    @@ man/login.defs.5.xml
     -      PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
     +      PASS_MAX_DAYS PASS_WARN_AGE
            SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
    -       SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
    -       SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
    +       SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN SUB_GID_DETERMINISTIC
    +       SUB_GID_STORE_BY_UID
     @@
        <term>pwck</term>
        <listitem>
    @@ man/login.defs.5.xml
            MAIL_DIR MAX_MEMBERS_PER_GROUP
     -      PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
     +      PASS_MAX_DAYS PASS_WARN_AGE
    -       SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
    -       SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
    -       SYS_GID_MAX SYS_GID_MIN SYS_UID_MAX SYS_UID_MIN UID_MAX UID_MIN
    +       SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN SUB_GID_DETERMINISTIC
    +       SUB_GID_STORE_BY_UID
    +       SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN SUB_UID_DETERMINISTIC
     
      ## man/login.defs.d/PASS_MIN_DAYS.xml (deleted) ##
     @@
    @@ tests/grouptools/groupdel/11_groupdel_invalid_option/config/etc/login.defs: KILL
      
      #
     
    - ## tests/grouptools/groupmems/54_groupmems_usage_invalid_option/config/etc/login.defs ##
    -@@ tests/grouptools/groupmems/54_groupmems_usage_invalid_option/config/etc/login.defs: KILLCHAR    025
    - # Password aging controls:
    - #
    - # PASS_MAX_DAYS   Maximum number of days a password may be used.
    --# PASS_MIN_DAYS   Minimum number of days allowed between password changes.
    - # PASS_WARN_AGE   Number of days warning given before a password expires.
    - #
    - PASS_MAX_DAYS     99999
    --PASS_MIN_DAYS     0
    - PASS_WARN_AGE     7
    - 
    - #
    -
    - ## tests/grouptools/groupmems/55_groupmems_usage-a-d/config/etc/login.defs ##
    -@@ tests/grouptools/groupmems/55_groupmems_usage-a-d/config/etc/login.defs: KILLCHAR       025
    - # Password aging controls:
    - #
    - # PASS_MAX_DAYS   Maximum number of days a password may be used.
    --# PASS_MIN_DAYS   Minimum number of days allowed between password changes.
    - # PASS_WARN_AGE   Number of days warning given before a password expires.
    - #
    - PASS_MAX_DAYS     99999
    --PASS_MIN_DAYS     0
    - PASS_WARN_AGE     7
    - 
    - #
    -
    - ## tests/grouptools/groupmems/56_groupmems_usage_extra_arg/config/etc/login.defs ##
    -@@ tests/grouptools/groupmems/56_groupmems_usage_extra_arg/config/etc/login.defs: KILLCHAR 025
    - # Password aging controls:
    - #
    - # PASS_MAX_DAYS   Maximum number of days a password may be used.
    --# PASS_MIN_DAYS   Minimum number of days allowed between password changes.
    - # PASS_WARN_AGE   Number of days warning given before a password expires.
    - #
    - PASS_MAX_DAYS     99999
    --PASS_MIN_DAYS     0
    - PASS_WARN_AGE     7
    - 
    - #
    -
      ## tests/grouptools/groupmod/01_groupmod_change_gid/config/etc/login.defs ##
     @@ tests/grouptools/groupmod/01_groupmod_change_gid/config/etc/login.defs: KILLCHAR        025
      # Password aging controls:
5:  8bbd9705 = 5:  07061db4 */: shadow(5): sp_min: Ignore field, and clear it

v2c

• Fix previous rebase. A new use of nflg had been added recently.

$ git rd 
1:  3aad7591 = 1:  3aad7591 src/chage.c: Remove interactive -m
2:  f4ad4227 = 2:  f4ad4227 */: chage(1): -m,--mindays: Remove option
3:  0daeea49 ! 3:  ccd00d0c */: passwd(1): -n,--mindays: Remove option
    @@ src/passwd.c: static void update_shadow(bool process_selinux)
        if (wflg) {
                nsp->sp_warn = warn;
        }
    +@@ src/passwd.c: static void update_shadow(bool process_selinux)
    +                        ret ? SHADOW_AUDIT_SUCCESS : SHADOW_AUDIT_FAILURE);
    +   }
    +   /* Audit aging parameter changes if any were modified */
    +-  if (xflg || nflg || wflg || iflg) {
    ++  if (xflg || wflg || iflg) {
    +           char aging_msg[256];
    +           stprintf_a(aging_msg,
    +                      "changed-password-aging min=%ld max=%ld warn=%ld inact=%ld",
     @@ src/passwd.c: static void update_shadow(bool process_selinux)
       *        -i #    set sp_inact to # days (*)
       *        -k      change password only if expired
4:  e757346e = 4:  d4202fdc */: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
5:  07061db4 = 5:  f1d901d7 */: shadow(5): sp_min: Ignore field, and clear it

[patrakov]

The use case for the minimum password age is to prevent lazy people in environments where periodic password changes are required, knowing that they can't reuse 10 last passwords, from changing the password 10 times to throwaway values and then back to the original. In practice, even though it is not explicitly regulated, auditors view it as a part of enforcement of the password history requirement.

[alejandro-colomar]

The use case for the minimum password age is to prevent lazy people,

That's actually not lazy people, but intelligent people that know ways of enforcing security even under regulations that actively try them to decrease security.

knowing that they can't reuse 10 last passwords, from changing the password 10 times to throwaway values and then back to the original. In practice, even though it is not explicitly regulated, auditors view it as a part of enforcement of the password history requirement.

Auditors can come here and talk with us. :)