"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> On Sun, Jan 20, 2002 at 20:41:09 +0100, Dag-Erling Smorgrav wrote:
> > pam_sm_acct_mgmt() is allowed to return PAM_AUTHTOK_EXPIRED (which is
> > a better return value than PAM_AUTH_ERR for this case).  Other than
> > that, I have no objections to your patch.
> This is fix for pam_sm_authenticate(), not for pam_sm_acct_mgmt(). Is 
> pam_sm_authenticate() allowed to return PAM_AUTHTOK_EXPIRED too? I don't 
> find it in allowed return codes list.

I misread your mail.  Pam_sm_authenticate() is not supposed to care
that the password is expired.  If it did, it users with expired
passwords would be effectively locked out; they're supposed to get a
chance to change their password.  The application is supposed to call
pam_chauthtok() if pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED; see
the sample application in DCE RFC 86.0.

Dag-Erling Smorgrav - [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to