And even more, I think it may/should include: > > if (amroot) { > > fprintf (stderr, _("%s: %s\n(Ignored)\n"), Prog, > > pam_strerror (pamh, ret)); > > + } else if (ret == PAM_NEW_AUTHTOK_REQD) { + SYSLOG ((LOG_NOTICE, "pam_chauthtok: %s", + pam_strerror (pamh, ret))); > > + ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); I.e. make notice to syslog independently on the user changing her "authtok" successfully or not.
and instead of: > > + if (ret != PAM_SUCCESS) { > > + SYSLOG ((LOG_ERR, "pam_chauthtok: %s", > > + pam_strerror (pamh, ret))); > > + fprintf (stderr, _("%s: %s\n"), Prog, > > + pam_strerror (pamh, ret)); > > + pam_end (pamh, ret); > > + su_failure (tty); > > + } maybe just PAM_FAIL_CHECK;??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]