Skip to content

Remove support for shadow(5)'s sp_min #1482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alejandro-colomar wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Remove support for shadow(5)'s sp_min #1482

alejandro-colomar wants to merge 5 commits into from
+28 −1,255

Conversation

@alejandro-colomar
Copy link
Collaborator

@alejandro-colomar alejandro-colomar commented Jan 6, 2026
edited
Loading

Password expiry was deprecated in 4.19.

sp_min (password minimum age) doesn't seem to be regulated, so it seems we can remove it already.

Link: #1432

@alejandro-colomar
src/chage.c: Remove interactive -m
d23f4fd 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: chage(1): -m,--mindays: Remove option
df14c80 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: passwd(1): -n,--mindays: Remove option
66cf7e9 
It makes no sense to limit the frequency of password change.  If one
changes its password, and 5 minutes later the password is leaked, one
should be able to change the password immediately.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: login.defs(5): PASS_MIN_DAYS: Remove configuration variable
dacb488 
Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar
*/: shadow(5): sp_min: Ignore field, and clear it
c8f041d 
Whenever we were reading it, let's assume it contains a -1 (the integer
representation of an empty field).  Whenever we were writing it, let's
write a -1.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
@alejandro-colomar alejandro-colomar self-assigned this Jan 6, 2026
@patrakov
Copy link

patrakov commented Jan 6, 2026
edited
Loading

The use case for the minimum password age is to prevent lazy people in environments where periodic password changes are required, knowing that they can't reuse 10 last passwords, from changing the password 10 times to throwaway values and then back to the original. In practice, even though it is not explicitly regulated, auditors view it as a part of enforcement of the password history requirement.

@alejandro-colomar
Copy link
Collaborator Author

alejandro-colomar commented Jan 6, 2026
edited
Loading

The use case for the minimum password age is to prevent lazy people,

That's actually not lazy people, but intelligent people that know ways of enforcing security even under regulations that actively try them to decrease security.

knowing that they can't reuse 10 last passwords, from changing the password 10 times to throwaway values and then back to the original. In practice, even though it is not explicitly regulated, auditors view it as a part of enforcement of the password history requirement.

Auditors can come here and talk with us. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hallyn hallyn Awaiting requested review from hallyn

@ikerexxe ikerexxe Awaiting requested review from ikerexxe

At least 1 approving review is required to merge this pull request.

Assignees

@alejandro-colomar alejandro-colomar

Labels

deprecation/removal

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alejandro-colomar @patrakov