Russ, I usually don't use the change password feature, but I now checked the pam help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux and Solaris it states that only pam_acct_mgmt should return PAM_NEW_AUTHTOK_REQD for exired passwords not pam_sm_authenticate. I haven't yet checked the Openssh and others sources, but I think you need to save the state you get inpam_sm_authenticate and use it in pam_sm_acct_mgmt.
Any thoughts ? Markus "Russ Allbery" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I'm pleased to announce release 3.10 of pam-krb5. > > pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. > It supports ticket refreshing by screen savers, configurable authorization > handling, authentication of non-local accounts for network services, > password changing, and password expiration, as well as all the standard > expected PAM features. It works correctly with OpenSSH, even with > ChallengeResponseAuthentication and PrivilegeSeparation enabled, and > supports configuration either by PAM options or in krb5.conf or both. > > Changes from previous release: > > The workaround for krb5_get_init_creds_opt_alloc problems in MIT > Kerberos 1.6 broke PKINIT support with Heimdal. Only apply that > workaround when building against the MIT Kerberos libraries. Thanks > to Jaakko Pero for the detailed report. > > If no_ccache is set, always exit successfully from pam_setcred or > pam_open_session, even if we couldn't retrieve module data. Thanks, > Markus Moeller. > > When keytab is set, properly handle failure to create a keytab cursor > and don't assume that the cursor is valid. Thanks, Markus Moeller. > > Define _ALL_SOURCE on AIX to get prototypes for snprintf. > > Add additional portability glue and Autoconf probes to support > building against the version of Kerberos bundled with AIX. Support > for this should be considered alpha in this release. Thanks to Markus > Moeller for the initial patch. > > You can download it from: > > <http://www.eyrie.org/~eagle/software/pam-krb5/> > > Debian packages have been uploaded to Debian unstable. > > Please let me know of any problems or feature requests not already listed > in the TODO file. > > -- > Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
