Skip to content

Remove support for shadow(5)'s sp_min#1482

Open
alejandro-colomar wants to merge 5 commits intoshadow-maint:masterfrom
alejandro-colomar:sp_min
Open

Remove support for shadow(5)'s sp_min#1482
alejandro-colomar wants to merge 5 commits intoshadow-maint:masterfrom
alejandro-colomar:sp_min

Conversation

@alejandro-colomar
Copy link
Collaborator

@alejandro-colomar alejandro-colomar commented Jan 6, 2026
edited
Loading

Password expiry was deprecated in 4.19.

sp_min (password minimum age) doesn't seem to be regulated, so it seems we can remove it already.

Link: #1432

Revisions:

v1b
  • Rebase
$ git rd 
1:  d23f4fd515f2 = 1:  cedee3d5c4fb src/chage.c: Remove interactive -m
2:  df14c804a6a7 = 2:  aa27a3c7d6f5 */: chage(1): -m,--mindays: Remove option
3:  66cf7e9ab2ec = 3:  99023e27937c */: passwd(1): -n,--mindays: Remove option
4:  dacb4880dd83 ! 4:  ba480ec8b60e */: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
    @@ man/login.defs.5.xml
            HOME_MODE
     -      PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
     +      PASS_MAX_DAYS PASS_WARN_AGE
    -       <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
    -       SHA_CRYPT_MIN_ROUNDS</phrase>
    +       SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
            SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
    +       SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
     @@
        <term>pwck</term>
        <listitem>
5:  c8f041d71528 = 5:  61639063c123 */: shadow(5): sp_min: Ignore field, and clear it
v2
  • Rebase
$ git rd 
1:  cedee3d5 = 1:  76082f17 src/chage.c: Remove interactive -m
2:  aa27a3c7 ! 2:  36d2615f */: chage(1): -m,--mindays: Remove option
    @@ tests/chage/16_chage-m_no_shadow_entry/config/etc/login.defs (deleted)
     -#
     -#CONSOLE_GROUPS           floppy:audio:cdrom
     -
    --#
    --# Only works if compiled with MD5_CRYPT defined:
    --# If set to "yes", new passwords will be encrypted using the MD5-based
    --# algorithm compatible with the one used by recent releases of FreeBSD.
    --# It supports passwords of unlimited length and longer salt strings.
    --# Set to "no" if you need to copy encrypted passwords to other systems
    --# which don't understand the new algorithm.  Default is "no".
    --#
    --# This variable is used by chpasswd, gpasswd and newusers.
    --#
    --#MD5_CRYPT_ENAB   no
    --
     -################# OBSOLETED BY PAM ##############
     -#                                         #
     -# These options are now handled by PAM. Please    #
3:  99023e27 = 3:  feb66370 */: passwd(1): -n,--mindays: Remove option
4:  ba480ec8 ! 4:  b5f6d93a */: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
    @@ man/login.defs.5.xml
              existing accounts.
     @@
            GID_MAX GID_MIN
    -       MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
    +       MAX_MEMBERS_PER_GROUP
            HOME_MODE
     -      PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
     +      PASS_MAX_DAYS PASS_WARN_AGE
    @@ man/login.defs.d/PASS_MIN_DAYS.xml (deleted)
     
      ## man/newusers.8.xml ##
     @@
    + <!ENTITY HOME_MODE             SYSTEM "login.defs.d/HOME_MODE.xml">
      <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
    - <!ENTITY MD5_CRYPT_ENAB        SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
      <!ENTITY PASS_MAX_DAYS         SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
     -<!ENTITY PASS_MIN_DAYS         SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
      <!ENTITY PASS_WARN_AGE         SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
    @@ tests/chroot/usermod/01_usermod--root/config_chroot/etc/login.defs: UMASK                022
      
      #
     
    - ## tests/crypt/login.defs_DES-MD5_CRYPT_ENAB/config/etc/login.defs ##
    -@@ tests/crypt/login.defs_DES-MD5_CRYPT_ENAB/config/etc/login.defs: KILLCHAR       025
    - # Password aging controls:
    - #
    - # PASS_MAX_DAYS   Maximum number of days a password may be used.
    --# PASS_MIN_DAYS   Minimum number of days allowed between password changes.
    - # PASS_WARN_AGE   Number of days warning given before a password expires.
    - #
    - PASS_MAX_DAYS     99999
    --PASS_MIN_DAYS     0
    - PASS_WARN_AGE     7
    - 
    - #
    -
      ## tests/crypt/login.defs_DES/config/etc/login.defs ##
     @@ tests/crypt/login.defs_DES/config/etc/login.defs: KILLCHAR      025
      # Password aging controls:
    @@ tests/crypt/login.defs_MD5/config/etc/login.defs: KILLCHAR       025
      
      #
     
    - ## tests/crypt/login.defs_MD5_CRYPT_ENAB/config/etc/login.defs ##
    -@@ tests/crypt/login.defs_MD5_CRYPT_ENAB/config/etc/login.defs: KILLCHAR   025
    - # Password aging controls:
    - #
    - # PASS_MAX_DAYS   Maximum number of days a password may be used.
    --# PASS_MIN_DAYS   Minimum number of days allowed between password changes.
    - # PASS_WARN_AGE   Number of days warning given before a password expires.
    - #
    - PASS_MAX_DAYS     99999
    --PASS_MIN_DAYS     0
    - PASS_WARN_AGE     7
    - 
    - #
    -
      ## tests/crypt/login.defs_SHA256-round-max/config/etc/login.defs ##
     @@ tests/crypt/login.defs_SHA256-round-max/config/etc/login.defs: KILLCHAR 025
      # Password aging controls:
5:  61639063 ! 5:  8bbd9705 */: shadow(5): sp_min: Ignore field, and clear it
    @@ src/passwd.c: static void check_password (const struct passwd *pw, const struct
     -                  (void) fprintf (stderr,
     -                                  _("The password for %s cannot be changed yet.\n"),
     -                                  sp->sp_namp);
    --                  SYSLOG ((LOG_WARN, "now < minimum age for '%s'", sp->sp_namp));
    +-                  SYSLOG(LOG_WARN, "now < minimum age for '%s'", sp->sp_namp);
     -                  closelog ();
     -                  fail_exit(E_NOPERM, process_selinux);
     -          }

@alejandro-colomar alejandro-colomar self-assigned this Jan 6, 2026
@patrakov
Copy link

patrakov commented Jan 6, 2026
edited
Loading

The use case for the minimum password age is to prevent lazy people in environments where periodic password changes are required, knowing that they can't reuse 10 last passwords, from changing the password 10 times to throwaway values and then back to the original. In practice, even though it is not explicitly regulated, auditors view it as a part of enforcement of the password history requirement.

@alejandro-colomar
Copy link
Collaborator Author

alejandro-colomar commented Jan 6, 2026
edited
Loading

The use case for the minimum password age is to prevent lazy people,

That's actually not lazy people, but intelligent people that know ways of enforcing security even under regulations that actively try them to decrease security.

knowing that they can't reuse 10 last passwords, from changing the password 10 times to throwaway values and then back to the original. In practice, even though it is not explicitly regulated, auditors view it as a part of enforcement of the password history requirement.

Auditors can come here and talk with us. :)

@alejandro-colomar
src/chage.c: Remove interactive -m
76082f1 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: chage(1): -m,--mindays: Remove option
36d2615 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: passwd(1): -n,--mindays: Remove option
feb6637 
It makes no sense to limit the frequency of password change.  If one
changes its password, and 5 minutes later the password is leaked, one
should be able to change the password immediately.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
b5f6d93 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: shadow(5): sp_min: Ignore field, and clear it
8bbd970 
Whenever we were reading it, let's assume it contains a -1 (the integer
representation of an empty field).  Whenever we were writing it, let's
write a -1.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hallyn hallyn Awaiting requested review from hallyn

@ikerexxe ikerexxe Awaiting requested review from ikerexxe

At least 1 approving review is required to merge this pull request.

Assignees

@alejandro-colomar alejandro-colomar

Labels

deprecation/removal

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alejandro-colomar @patrakov