"Markus Moeller" <[EMAIL PROTECTED]> writes: > I usually don't use the change password feature, but I now checked the > pam help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux and > Solaris it states that only pam_acct_mgmt should return > PAM_NEW_AUTHTOK_REQD for exired passwords not pam_sm_authenticate. I > haven't yet checked the Openssh and others sources, but I think you need > to save the state you get inpam_sm_authenticate and use it in > pam_sm_acct_mgmt.
Yeah, this is how the documentation claims that PAM should work, but it doesn't actually work this way and most applications don't expect it to work this way. In practice, pam-krb5 will usually not return PAM_NEW_AUTHTOK_REQD anyway since the Kerberos library will handle the password change immediately. Currently, the module somewhat intentionally doesn't support the way in which password changes supposedly work since I've never seen any software that needed that behavior, but I suppose it could be added. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
