Steve Langasek wrote: > > On Tue, May 21, 2002 at 05:43:29PM +0530, Sridhar Bandi wrote: > > > what should be the error code that need to be returned by > > pam_sm_authenticate() when the user's account is expired. > > Should it return PAM_SUCCESS or PAM_ACCT_EXPIRED. > > What I think is it shouldn't return PAM_ACCT_EXPIRED as > > its pam_acct_mgmt() job to return this error. > > Please clear my doubt , thanks in advance for all the help. > > That's correct. A PAM application is required to call pam_acct_mgmt() > after a successful return from pam_authenticate(), so in theory it's ok > to return PAM_SUCCESS from pam_authenticate(). Another way to think about it is that if the user's account has expired, it is not the case that joe random should be able to find that out by simply trying to log in - this information is really only appropriate for the poor individual who just lost access to their account. (In addition to the pam_acct_mgmt() failure, it would be entirely appropriate for pam_sm_setcred() to fail too - with something like PAM_CRED_ERR. But the pam_acct_mgmt() failure should be enough.) Cheers Andrew
