Skip to content

Comments

Remove support for shadow(5)'s sp_min#1482

Open
alejandro-colomar wants to merge 5 commits intoshadow-maint:masterfrom
alejandro-colomar:sp_min
Open

Remove support for shadow(5)'s sp_min#1482
alejandro-colomar wants to merge 5 commits intoshadow-maint:masterfrom
alejandro-colomar:sp_min

Conversation

@alejandro-colomar
Copy link
Collaborator

@alejandro-colomar alejandro-colomar commented Jan 6, 2026
edited
Loading

Password expiry was deprecated in 4.19.

sp_min (password minimum age) doesn't seem to be regulated, so it seems we can remove it already.

Link: #1432

Revisions:

v1b
  • Rebase
$ git rd 
1:  d23f4fd515f2 = 1:  cedee3d5c4fb src/chage.c: Remove interactive -m
2:  df14c804a6a7 = 2:  aa27a3c7d6f5 */: chage(1): -m,--mindays: Remove option
3:  66cf7e9ab2ec = 3:  99023e27937c */: passwd(1): -n,--mindays: Remove option
4:  dacb4880dd83 ! 4:  ba480ec8b60e */: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
    @@ man/login.defs.5.xml
            HOME_MODE
     -      PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
     +      PASS_MAX_DAYS PASS_WARN_AGE
    -       <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
    -       SHA_CRYPT_MIN_ROUNDS</phrase>
    +       SHA_CRYPT_MAX_ROUNDS SHA_CRYPT_MIN_ROUNDS
            SUB_GID_COUNT SUB_GID_MAX SUB_GID_MIN
    +       SUB_UID_COUNT SUB_UID_MAX SUB_UID_MIN
     @@
        <term>pwck</term>
        <listitem>
5:  c8f041d71528 = 5:  61639063c123 */: shadow(5): sp_min: Ignore field, and clear it

@alejandro-colomar alejandro-colomar self-assigned this Jan 6, 2026
@patrakov
Copy link

patrakov commented Jan 6, 2026
edited
Loading

The use case for the minimum password age is to prevent lazy people in environments where periodic password changes are required, knowing that they can't reuse 10 last passwords, from changing the password 10 times to throwaway values and then back to the original. In practice, even though it is not explicitly regulated, auditors view it as a part of enforcement of the password history requirement.

@alejandro-colomar
Copy link
Collaborator Author

alejandro-colomar commented Jan 6, 2026
edited
Loading

The use case for the minimum password age is to prevent lazy people,

That's actually not lazy people, but intelligent people that know ways of enforcing security even under regulations that actively try them to decrease security.

knowing that they can't reuse 10 last passwords, from changing the password 10 times to throwaway values and then back to the original. In practice, even though it is not explicitly regulated, auditors view it as a part of enforcement of the password history requirement.

Auditors can come here and talk with us. :)

@alejandro-colomar
src/chage.c: Remove interactive -m
cedee3d 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: chage(1): -m,--mindays: Remove option
aa27a3c 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: passwd(1): -n,--mindays: Remove option
99023e2 
It makes no sense to limit the frequency of password change.  If one
changes its password, and 5 minutes later the password is leaked, one
should be able to change the password immediately.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
ba480ec 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: shadow(5): sp_min: Ignore field, and clear it
6163906 
Whenever we were reading it, let's assume it contains a -1 (the integer
representation of an empty field).  Whenever we were writing it, let's
write a -1.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hallyn hallyn Awaiting requested review from hallyn

@ikerexxe ikerexxe Awaiting requested review from ikerexxe

At least 1 approving review is required to merge this pull request.

Assignees

@alejandro-colomar alejandro-colomar

Labels

deprecation/removal

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alejandro-colomar @patrakov