"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > On Sun, Jan 20, 2002 at 20:41:09 +0100, Dag-Erling Smorgrav wrote: > > pam_sm_acct_mgmt() is allowed to return PAM_AUTHTOK_EXPIRED (which is > > a better return value than PAM_AUTH_ERR for this case). Other than > > that, I have no objections to your patch. > This is fix for pam_sm_authenticate(), not for pam_sm_acct_mgmt(). Is > pam_sm_authenticate() allowed to return PAM_AUTHTOK_EXPIRED too? I don't > find it in allowed return codes list.
I misread your mail. Pam_sm_authenticate() is not supposed to care that the password is expired. If it did, it users with expired passwords would be effectively locked out; they're supposed to get a chance to change their password. The application is supposed to call pam_chauthtok() if pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED; see the sample application in DCE RFC 86.0. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
