I think I've been able to get pam_krb5 to ask for the new password
properly by using the "defer_pwchange" option which moves asking for the
replacement password from pam_authenticate() to pam_acct_mgmt(). See
the man page for pam_krb5. However, the solution isn't perfect based on
this note from the man page:
If this option is set, pam-krb5 uses the fully correct PAM mechanism
for
handling expired accounts instead of failing in pam_authenticate().
Due
to the security risk of widespread broken applications, be very
careful
about enabling this option. It should normally only be turned on to
solve
a specific problem (such as using Solaris Kerberos libraries that
don't
support prompting for password changes during authentication), and
then
only for specific applications known to call pam_acct_mgmt() and
check its
return status properly.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/972537
Title:
lightdm doesn't allow expired passwords
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/972537/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
