[Bug 1188] keyboard-interactive should not allow retry after pam_acct_mgmt fails

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu May 4 12:49:46 EST 2006


------- Comment #6 from fcusack at fcusack.com  2006-05-04 12:49 -------
> do_pam_account() sets force_pwchange and returns success if
> pam_account_mgmt returns PAM_NEW_AUTHTOK_REQD (but the code already
> checks for that) or returns a failure for any other non-success code.

I hadn't looked at do_pam_acct(), I only looked at the patch.  So
enough context I mistook the effects of the patch.  I did at least say
"looks like".

Thanks for the additional info, it sounds like the patch DTRT.

>> Also, if the account IS expired, the user should be given a chance
>> to update their password.
> If pam_acct_mgmt failed for any reason other than PAM_NEW_AUTHTOK_REQD
> then no, they shouldn't.

That's what I just said.  Since the patch doesn't have the effect I
thought it
did, you can obviously ignore this comment.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list