pam: do not require a non-expired password for user@.service

Without this parameter, we would allow user@ to start if the user
has no password (i.e. the password is "locked"). But when the user does have a password,
and it is marked as expired, we would refuse to start the service.
There are other authentication mechanisms and we should not tie this service to
the password state.

The documented way to disable an *account* is to call 'chage -E0'. With a disabled
account, user@.service will still refuse to start:

systemd[16598]: PAM failed: User account has expired
systemd[16598]: PAM failed: User account has expired
systemd[16598]: user@1005.service: Failed to set up PAM session: Operation not permitted
systemd[16598]: user@1005.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
systemd[1]: user@1005.service: Main process exited, code=exited, status=224/PAM
systemd[1]: user@1005.service: Failed with result 'exit-code'.
systemd[1]: Failed to start user@1005.service.
systemd[1]: Stopping user-runtime-dir@1005.service...

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1961746.

(cherry picked from commit 71889176e4372b443018584c3520c1ff3efe2711)

diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
index f6313f79fe18d9344d75581f097339d1b23b95db..e3020116c829bce802196be849ab099ee7b346ac 100644 (file)
--- a/src/login/systemd-user.m4
+++ b/src/login/systemd-user.m4
@@ -5,7 +5,7 @@
 m4_ifdef(`ENABLE_HOMED',
 -account sufficient pam_systemd_home.so
 )m4_dnl
-account sufficient pam_unix.so
+account sufficient pam_unix.so no_pass_expiry
 account required pam_permit.so
 
 m4_ifdef(`HAVE_SELINUX',