Date: 20 Jan 2002 21:07:14 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: markm@freebsd.org, current@freebsd.org Subject: Re: Step2, pam_unix just expired pass fix for review Message-ID: <xzpy9is3hxp.fsf@flood.ping.uio.no> In-Reply-To: <20020120195407.GA24138@nagual.pp.ru> References: <20020120191711.GA23576@nagual.pp.ru> <xzplmes4xpm.fsf@flood.ping.uio.no> <20020120195407.GA24138@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
"Andrey A. Chernov" <ache@nagual.pp.ru> writes: > On Sun, Jan 20, 2002 at 20:41:09 +0100, Dag-Erling Smorgrav wrote: > > pam_sm_acct_mgmt() is allowed to return PAM_AUTHTOK_EXPIRED (which is > > a better return value than PAM_AUTH_ERR for this case). Other than > > that, I have no objections to your patch. > This is fix for pam_sm_authenticate(), not for pam_sm_acct_mgmt(). Is > pam_sm_authenticate() allowed to return PAM_AUTHTOK_EXPIRED too? I don't > find it in allowed return codes list. I misread your mail. Pam_sm_authenticate() is not supposed to care that the password is expired. If it did, it users with expired passwords would be effectively locked out; they're supposed to get a chance to change their password. The application is supposed to call pam_chauthtok() if pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED; see the sample application in DCE RFC 86.0. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpy9is3hxp.fsf>