kerberos + gssapi password change
Darren Tucker
dtucker at zip.com.au
Thu Oct 9 13:23:13 EST 2003
Darren Tucker wrote:
> Maybe sshpam_query needs to understand PAM_NEW_AUTHTOK_REQD?
Please try this patch (it will apply on top of pwexp24). I have no idea
if this is right or not (but it compiles :-)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
--- auth-pam.c.pwexp24 2003-10-09 12:53:53.000000000 +1000
+++ auth-pam.c 2003-10-09 13:18:04.000000000 +1000
@@ -422,6 +422,7 @@
break;
case PAM_SUCCESS:
case PAM_AUTH_ERR:
+ case PAM_NEW_AUTHTOK_REQD:
if (**prompts != NULL) {
/* drain any accumulated messages */
#if 0 /* XXX - not compatible with privsep */
@@ -434,7 +435,12 @@
xfree(**prompts);
**prompts = NULL;
}
- if (type == PAM_SUCCESS) {
+
+ if (sshpam_err == PAM_NEW_AUTHTOK_REQD)
+ flag_password_change_required();
+
+ if (type == PAM_SUCCESS ||
+ type == PAM_NEW_AUTHTOK_REQD) {
*num = 0;
**echo_on = 0;
ctxt->pam_done = 1;
More information about the openssh-unix-dev
mailing list