Hello, Il 24/01/2014 16:46, Yves-Alexis Perez ha scritto: > That's why I think PAM people might have more clue than me…
I wrote to Steve Langasek (pam DM), I briefly described the problem and asked for informations. Steve about the man page: > Well, this information from the manpage authoritatively describes how the > flag is meant to be used: if pam_chauthtok() is being called to request > changing expired tokens, the flag is expected to be passed. Steve about the missing flag in lightdm: > However, lightdm definitely should be passing PAM_CHANGE_EXPIRED_AUTHTOK > whenever it calls pam_chauthtok(), because lightdm doesn't have any > interface for letting the user /request/ a change of their password. About pam_unix - which is more important because it's the default pam module - to be sure that I didn't messed up anything I tried with a clean Wheezy installation. I confirm that, due to the missing flag in lightdm, anyone can change his expired password by lightdm bypassing the password policies (like root does). Regards G.
<<attachment: giulio.vcf>>
