Arch Linux

Here are two descriptions: one related to broken --keep-tokens option and one to --mindays.

--[--keep-tokens]-----------------------------------------------------
Description:

Man page says that the command "passwd -k" won't have effect if my password isn't expired, but this is wrong in Archlinux. I can change any password with "passwd -k" (including not expired ones).

Steps to reproduce:

1. Let's create a test user (I will type the following commands as root):

> useradd -m foo

2. then let's set a password for it:

> passwd foo
Enter new UNIX password: bar
Retype new UNIX password: bar
passwd: password updated successfully

3. To make sure that the password isn't outdated type this:

> passwd -S foo
foo P 06/23/2008 0 99999 7 -1

99999 is enough large number of days.

4. But the password will be changed anyway if you will run "passwd -k" under foo.

--[--mindays]-----------------------------------------------------
Description:

There is an option to limit the period between password changes - "--mindays". But this doesn't work in Archlinux.

Steps to reproduce:

1. Let's create a test user:

> useradd -m bar

2. with some password:

> passwd bar
Enter new UNIX password: 123
Retype new UNIX password: 123
passwd: password updated successfully

3. Default value of MIN_DAYS is 0, which means that user can change his/her password at any time:

> passwd -S bar
bar P 06/23/2008 0 99999 7 -1

Set the MIN_DAYS to 3 days by the following commands:

> passwd --mindays 3 bar
Password changed.
> passwd -S bar
bar P 06/23/2008 3 99999 7 -1

4. According to the man page, the user bar can change his password only once every three days. But this isn't true! Under bar you can change the password indefinite number of times as before!

-------------------------------------------------------------------------

There are no such bugs on the latest Slax and Debian.

See also: http://bbs.archlinux.org/viewtopic.php?id=50649