Russ Allbery <[EMAIL PROTECTED]> writes: > "Markus Moeller" <[EMAIL PROTECTED]> writes:
>> I usually don't use the change password feature, but I now checked the >> pam help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux >> and Solaris it states that only pam_acct_mgmt should return >> PAM_NEW_AUTHTOK_REQD for exired passwords not pam_sm_authenticate. I >> haven't yet checked the Openssh and others sources, but I think you >> need to save the state you get inpam_sm_authenticate and use it in >> pam_sm_acct_mgmt. > Yeah, this is how the documentation claims that PAM should work, but it > doesn't actually work this way and most applications don't expect it to > work this way. In practice, pam-krb5 will usually not return > PAM_NEW_AUTHTOK_REQD anyway since the Kerberos library will handle the > password change immediately. > Currently, the module somewhat intentionally doesn't support the way in > which password changes supposedly work since I've never seen any > software that needed that behavior, but I suppose it could be added. It's worth noting that the supposedly correct behavior cannot be the default behavior, since (broken) applications that call pam_authenticate and never call pam_acct_mgmt will then incorrectly grant access to users with expired passwords. Such applications are *extremely* common. It would have to be an option that one could enable if one was sure that all of one's applications correctly followed the documented PAM semantics. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
