"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> On Sun, Jan 20, 2002 at 20:41:09 +0100, Dag-Erling Smorgrav wrote:
> > pam_sm_acct_mgmt() is allowed to return PAM_AUTHTOK_EXPIRED (which is
> > a better return value than PAM_AUTH_ERR for this case). Other than
> > that, I have no objections to your patch.
> This is fix for pam_sm_authenticate(), not for pam_sm_acct_mgmt(). Is
> pam_sm_authenticate() allowed to return PAM_AUTHTOK_EXPIRED too? I don't
> find it in allowed return codes list.
I misread your mail. Pam_sm_authenticate() is not supposed to care
that the password is expired. If it did, it users with expired
passwords would be effectively locked out; they're supposed to get a
chance to change their password. The application is supposed to call
pam_chauthtok() if pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED; see
the sample application in DCE RFC 86.0.
Dag-Erling Smorgrav - [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message