On Tue, 2016-04-19 at 12:59 +0200, Joakim Tjernlund wrote:
> Just had a look at adding support for PAM_NEW_AUTHTOK_REQ in dropbear like so:
> --- a/svr-authpam.c
> +++ b/svr-authpam.c
> - if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
> + rc = pam_acct_mgmt(pamHandlep, 0);
> + if (rc == PAM_NEW_AUTHTOK_REQD) {
> + rc = pam_chauthtok(pamHandlep, PAM_CHANGE_EXPIRED_AUTHTOK);
> + }
> + if (rc != PAM_SUCCESS) {
>
> This is of course not enough and I wonder if upstream dropbear would be
> interested in adding support for PAM_NEW_AUTHTOK_REQ?
>
> Jocke
Ping ?
PAM_NEW_AUTHTOK_REQ is needed to support passwd expiration, that is, forcing the
user to change passwd at first login/or passwd to old.
Jocke
