Updated pam packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without the need to recompile programs to handle authentication.
- The pam_unix module contained an "off-by-one" error when comparing the date of user account expiration with the current date. In this situation, the real expiration of the account happened a day after the date specified by the "chage -E" command. This update fixes the "off-by-one" error and user accounts now expire on the date set by the "chage -E" command.
- The pam_unix and pam_pwhistory modules did not properly handle missing fields in the entries in the /etc/security/opasswd file. As a consequence, if some of the fields were not present in a user's entry, changing the password for example with the passwd command could result in a segmentation fault. This bug has been fixed and pam_unix and pam_pwhistory now properly handle missing fields in the entries in /etc/security/opasswd.
- Previously, the pam_limits module did not verify whether the process referenced in the /var/run/utmp file as the login process still existed. As a consequence, when the user had the "maxlogins" limit set in the limits.conf file and the login session process terminated unexpectedly and also did not update the utmp file correctly, the user did not have access to the system even if some of his previous login session no longer existed due to the crash. After this update, pam_limits tests whether the login process still exists on the system. As a result, the number of existing login sessions is counted more precisely when the "maxlogins" limit is applied by the pam_limits module.
- Previously, the pam_userdb module handled the call to the crypt() function too strictly not to expect modern crypt hash formats. As a consequence, pam_userdb was not able to support any other hash algorithms supported by the glibc library for the user password hashes. This update improves the code handling the crypt() function. Now, pam_userdb supports any password hash formats supported by the glibc crypt() function.
Users of pam are advised to upgrade to these updated packages, which fix these bugs.