Found this in the pam_unix info:
Based on the following shadow elements: expire; last_change;
max_change; min_change; warn_change, this module performs the
task of establishing the status of the user's account and
password. In the case of the latter, it may offer advice to the
user on changing their password or, through the
PAM_AUTHTOKEN_REQD return, delay giving service to the user
until they have established a new password. The entries listed
above are documented in the GNU Libc info documents. Should the
user's record not contain one or more of these entries, the
corresponding shadow check is not performed.
which sounds like what I want to do: restrict login based on shadow
info. But I am not sure how to apply this. Any advice? I use the
shadow key word in systeh-auth already:
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
but not for auth.
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
