Commit 71889176 authored Jun 01, 2021 by Zbigniew Jędrzejewski-Szmek Committed by Lennart Poettering Jun 01, 2021

pam: do not require a non-expired password for user@.service

Without this parameter, we would allow user@ to start if the user
has no password (i.e. the password is "locked"). But when the user does have a password,
and it is marked as expired, we would refuse to start the service.
There are other authentication mechanisms and we should not tie this service to
the password state.

The documented way to disable an *account* is to call 'chage -E0'. With a disabled
account, user@.service will still refuse to start:

systemd[16598]: PAM failed: User account has expired
systemd[16598]: PAM failed: User account has expired
systemd[16598]: user@1005.service: Failed to set up PAM session: Operation not permitted
systemd[16598]: user@1005.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
systemd[1]: user@1005.service: Main process exited, code=exited, status=224/PAM
systemd[1]: user@1005.service: Failed with result 'exit-code'.
systemd[1]: Failed to start user@1005.service.
systemd[1]: Stopping user-runtime-dir@1005.service...

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1961746.

parent fedfd21a

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 1f594aa2
· Jul 21, 2021

mentioned in commit 1f594aa2

mentioned in commit 1f594aa20b4bb788d7efbd560de36ab36d7e7954

Toggle commit list
mirror @mirror
mentioned in commit 050dd460
· Jul 21, 2021

mentioned in commit 050dd460

mentioned in commit 050dd460e83ca10b56b11533a60b6a5f40d42203

Toggle commit list

Please register or to comment