Junyoung Heo wrote: > > >>- account expire date : disable account after some days. > >>- account inactive date : disable account if account is not used for some days. > >>- account suspend/resume date : disable account until suspend date and resume it after resume date. > >>We want to add above 3 functionalities on pam_time modules. > >>How about your thought? > >> > > > >But this functionality already exists in pam_unix/pam_pwdb, > >based on corresponding fields in shadow (or nss equivalent). > >And why add this to pam_time that has no access to user's > >password attributes, whatether them are? > > > I knew 'account expire date' exists in shadow format and > pam_unix/pam_pwdb perform it. > But, I cannot find other 2 features in pam modules. Yes, this is something where I was inaccurate. First, I thought about `inactiviti' field in shadow, but interpreted it wrong -- it isn't "nologin" time, but "no-change-expired-passwd" time. My mistake. And 3rd feature not exists at all (or, may be pam_time already can do that? like `user;*;*;date1-date2'?). So yes, I'm sorry for misinformation. > I thought 'account expire date' is not proper in 'shadow' because > 'shadow' is dedicated to 'password'. This seems historical to me: at a time when no shadow exists, and `struct passwd' was widely used with fixed (read: standard) fields -- there was no way to add new field to struct passwd, and new `struct spwd' was needed anyway... ;) Actually, that all account management information should not be visible to public IMHO, and shadow is the good place from that point of view. > Also, thought these things are appropriate for pam_time because it is > intended to account/time. Well, ok, be it that way!. Regards, Michael.
