diff options
-rw-r--r-- | modules/pam_lastlog/pam_lastlog.8.xml | 8 | ||||
-rw-r--r-- | modules/pam_lastlog/pam_lastlog.c | 2 |
2 files changed, 9 insertions, 1 deletions
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index ecac2664..77da9dbc 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -12,7 +12,7 @@ <refnamediv id="pam_lastlog-name"> <refname>pam_lastlog</refname> - <refpurpose>PAM module to display date of last login</refpurpose> + <refpurpose>PAM module to display date of last login and perform inactive account lock out</refpurpose> </refnamediv> <refsynopsisdiv> @@ -64,6 +64,12 @@ Some applications may perform this function themselves. In such cases, this module is not necessary. </para> + <para> + If the module is called in the auth or account phase, the accounts that + were not used recently enough will be disallowed to log in. The + check is not performed for the root account so the root is never + locked out. + </para> </refsect1> <refsect1 id="pam_lastlog-options"> diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c index 4111b182..50e5a59c 100644 --- a/modules/pam_lastlog/pam_lastlog.c +++ b/modules/pam_lastlog/pam_lastlog.c @@ -598,6 +598,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, uid = pwd->pw_uid; pwd = NULL; /* tidy up */ + if (uid == 0) + return PAM_SUCCESS; /* obtain the last login date and all the relevant info */ last_fd = last_login_open(pamh, ctrl, uid); |