BTW, my guess is the FreeBSD folk never tested the password-changing/aging aspect of this PAM_KRB5 module. Either that or this bug mistified them. Plus there's a another bug in this module, as I mentioned before, in that it does not copy the null-termination to the krb5_data response buffers provided by krb5_get_init_password(). This isn't obviously necessary since the length of the strings is recorded in the krb5_data, but, unfortunately, krb5_get_init_password() uses strcmp() to compare the two new passwords (instead of comparing their length and then using strncmp()). Sigh... Nico On Sun, Mar 04, 2001 at 02:13:36PM -0500, Nicolas Williams wrote: > Steve, > > Yes, I see. Solaris conversation functions expect a pointer to the first > of a set of contiguous (struct pam_message). Linux-PAM's misc_conv() > expects a pointer to an array of pointers to (struct pam_message). > > What a horrid mistake Sun's developers made. Eeck. > > We can probably put in #ifdef'ed fixes for this in all modules that > prompt for more than one item at a time. > > Another possible fix would be to make a module prompt for one item at a > time. That was something I was already going to make an option in this > module because CDE's dtgreet only handles a prompt at a time anyways > (which means dtlogin has to break-up multi-prompts and, I think, it is > buggy wrt multi-prompts, at least on Solaris 8 BETA_REFRESH [yes, I > need to upgrade]). > > I see no reason why it is necessary or better to send these three prompts at > once rather than one after the other: > > "Password expired. You must change it now." > "Enter new password" > "Enter it again" > > That would be a simple fix, though it will only work as long as there > isn't an absolute need to prompt multiple prompts in one go. > > Nico --
