Hello, On Fri, 21 Sep 2001, SRIDHAR BANDI wrote: > What should pam_sm_authenticate() ( PAM Kerberos ) return when the > password of the user is expired , should we return PAM_NEW_AUTHTOK_REQD > or PAM_SUCCESS . Please can someone help me in this. > thanks so much in advance for helping me out. > regards After much discussion of this in other fora, the consensus seems to be that the *correct* thing for pam_sm_authenticate() to return here is PAM_SUCCESS, and that the module should internally keep track of the fact that pam_sm_acct_mgmt() should return PAM_NEW_AUTHTOK_REQD when called. In the real world, there are some PAM applications that do bad things in this situation, and will grant the user access without ever calling pam_acct_mgmt(), or calling pam_acct_mgmt() on a different PAM handle. For this reason, the pam_krb5 module in CVS at :pserver:anonymous@cvs.pam.sourceforge.net:/cvsroot/pam has an option called 'pw_exp_in_auth', which can be used to effect a Kerberos password change during the pam_sm_authenticate() call. My understanding of the spec is that PAM_NEW_AUTHTOK_REQD is not a permitted return code from pam_authenticate(), and most applications would not handle it gracefully anyway. Regards, Steve Langasek postmodern programmer
