Snapshot

Thu Sep 21 07:34:48 EST 2000

On Wed, 20 Sep 2000, Rob Hagopian wrote:
: People will always have this version of HP-UX somewhere...

And when the patch is available we tell them to install the patch.

: #ifndef PAM_AUTHTOK_EXPIRED
:   #ifdef PAM_NEW_AUTHTOK_REQD
:     #define PAM_AUTHTOK_EXPIRED PAM_NEW_AUTHTOK_REQD
:     #warn "HP-UX pam defect worked around"
:   #else
:     #error "PAM_AUTHTOK_EXPIRED is required by the PAM spec"
: #endif

This doesn't work because PAM_AUTHTOK_EXPIRED is defined.

This is what I had in mind (untested); though I'd prefer to wait a bit
and see when the fix might be available before inserting workarounds
like these in the code.  And I don't know when PAM_AUTHTOK_EXPIRED
should be returned and what security issues may result from this.

--- auth-pam.c~	Sat Sep 16 07:09:27 2000
+++ auth-pam.c	Wed Sep 20 22:24:43 2000
@@ -206,6 +206,13 @@
 		case PAM_SUCCESS:
 			/* This is what we want */
 			break;
+#ifdef __hpux
+		/*
+		 * This is a workaround to an HP-UX PAM defect;
+		 * refer to JAGad29724 for patch availability.
+		 */
+		case PAM_AUTHTOK_EXPIRED:
+#endif
 		case PAM_NEW_AUTHTOK_REQD:
 			pam_msg_cat(NEW_AUTHTOK_MSG);
 			/* flag that password change is necessary */




