Snapshot

[Rob Hagopian]

Oops, I got them reversed... but has anyone confirmed that all versions of
HP-UX have PAM_AUTHTOK_EXPIRED defined?

+#ifdef PAM_AUTHTOK_EXPIRED
+             /*
+              * This is a workaround to an HP-UX PAM defect;
+              * refer to JAGad29724 for patch availability.
+              */
+             case PAM_AUTHTOK_EXPIRED:
+#endif

would be safer...
								-Rob

On Wed, 20 Sep 2000, Kevin Steves wrote:

> On Wed, 20 Sep 2000, Rob Hagopian wrote:
> : People will always have this version of HP-UX somewhere...
> 
> And when the patch is available we tell them to install the patch.
> 
> : #ifndef PAM_AUTHTOK_EXPIRED
> :   #ifdef PAM_NEW_AUTHTOK_REQD
> :     #define PAM_AUTHTOK_EXPIRED PAM_NEW_AUTHTOK_REQD
> :     #warn "HP-UX pam defect worked around"
> :   #else
> :     #error "PAM_AUTHTOK_EXPIRED is required by the PAM spec"
> : #endif
> 
> This doesn't work because PAM_AUTHTOK_EXPIRED is defined.
> 
> This is what I had in mind (untested); though I'd prefer to wait a bit
> and see when the fix might be available before inserting workarounds
> like these in the code.  And I don't know when PAM_AUTHTOK_EXPIRED
> should be returned and what security issues may result from this.
> 
> --- auth-pam.c~	Sat Sep 16 07:09:27 2000
> +++ auth-pam.c	Wed Sep 20 22:24:43 2000
> @@ -206,6 +206,13 @@
>  		case PAM_SUCCESS:
>  			/* This is what we want */
>  			break;
> +#ifdef __hpux
> +		/*
> +		 * This is a workaround to an HP-UX PAM defect;
> +		 * refer to JAGad29724 for patch availability.
> +		 */
> +		case PAM_AUTHTOK_EXPIRED:
> +#endif
>  		case PAM_NEW_AUTHTOK_REQD:
>  			pam_msg_cat(NEW_AUTHTOK_MSG);
>  			/* flag that password change is necessary */
>