Expired passwords & PAM
Peter Astrand
altic at lysator.liu.se
Thu Oct 12 03:06:00 EST 2000
Currently, OpenSSH prints the message:
"Warning: You password has expired, please change it now"
if the password has expired. It would be nice if the user could/had to
change password before continuing, like with Linux console login. I've
tried to make an patch, but it doesn't work. Ideas?
--- auth-pam.c.org Wed Oct 11 18:03:43 2000
+++ auth-pam.c Wed Oct 11 18:03:44 2000
@@ -36,9 +36,6 @@
RCSID("$Id: auth-pam.c,v 1.12 2000/08/29 22:57:50 djm Exp $");
-#define NEW_AUTHTOK_MSG \
- "Warning: You password has expired, please change it now"
-
/* Callbacks */
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
@@ -175,11 +172,17 @@
pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0);
switch (pam_retval) {
- case PAM_SUCCESS:
+ case PAM_SUCCESS:
/* This is what we want */
break;
- case PAM_NEW_AUTHTOK_REQD:
- pam_msg_cat(NEW_AUTHTOK_MSG);
+ case PAM_AUTHTOK_EXPIRED:
+ case PAM_NEW_AUTHTOK_REQD:
+ pam_retval = pam_chauthtok((pam_handle_t *)pamh,
PAM_CHANGE_EXPIRED_
AUTHTOK);
+ if (pam_retval != PAM_SUCCESS) {
+ log("PAM change authtoken failed: %.200s",
+ PAM_STRERROR((pam_handle_t *)pamh,
pam_retval));
+ return(0);
+ }
break;
default:
log("PAM rejected by account
configuration: %.200s",
--
/Peter Åstrand <altic at lysator.liu.se>
More information about the openssh-unix-dev
mailing list