[Bug 1188] keyboard-interactive should not allow retry after pam_acct_mgmt fails

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed May 3 15:57:53 EST 2006


------- Comment #5 from dtucker at zip.com.au  2006-05-03 15:57 -------
(In reply to comment #4)
> PAM acct mgmt can fail for reasons other than password expiry. The
> patch looks like you assume this is the reason.

The patch is about *account* expiry not *password* expiry.  Actually,
it's about any failures of pam_acct_mgmt that aren't password expiry.

do_pam_account() sets force_pwchange and returns success if
pam_account_mgmt returns PAM_NEW_AUTHTOK_REQD (but the code already
checks for that) or returns a failure for any other non-success code.

> Also, if the account IS expired, the user should be given a chance
> to update their password.

If pam_acct_mgmt failed for any reason other than PAM_NEW_AUTHTOK_REQD
then no, they shouldn't.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list