# login program inhibits "Password Expired" messages



## AncientGeek (Feb 7, 2018)

In /etc/login.conf ( login.conf(5) ) there is a setting called _warnpassword_ that is used to set the amount of time before password expiration during which the user should get a warning upon login.  However, under normal circumstances, this warning isn't displayed.

In the source code for pam_unix(8) it shows the following:

```
if (pwd->pw_change) {
       warntime = login_getcaptime(lc, "warnpassword",
           DEFAULT_WARN, DEFAULT_WARN);
       if (tp.tv_sec >= pwd->pw_change) {
           retval = PAM_NEW_AUTHTOK_REQD;
       } else if (pwd->pw_change - tp.tv_sec < warntime &&
           (flags & PAM_SILENT) == 0) {
           pam_error(pamh, "Warning: your password expires on %s",
               ctime(&pwd->pw_change));
       }
   }
```

The problem is that under normal circumstances, the login(1) program sets the PAM_SILENT flag in getloginname():


```
if (nbuf[0] == '-') {
       pam_silent = 0;
       memmove(nbuf, nbuf + 1, strlen(nbuf));
   } else {
       pam_silent = PAM_SILENT;
   }
```

(nbuf holds the entered username)

A normal username will run the PAM modules with PAM_SILENT set, so warning messages will never be displayed.  _But if I prefix the username with a hyphen, I *do* see the warning message!_  (And any other PAM messages, I expect.)  Is this a known "feature" of username entry?  Am I missing some other setting that will allow a user doing a normal login to see the expiration warning message?


----------

