On Tue, Apr 16, 2002 at 08:33:02AM +0200, Thorsten Kukuk wrote: > On Mon, Apr 15, Steve Langasek wrote: > > On Mon, Apr 15, 2002 at 02:09:45PM +0200, Thorsten Kukuk wrote: > > > If you use shadow passwords and your password expires, login will ask > > > you to change the password to a new one. This is no problem, if the > > > password is stored local in /etc/shadow and the old password is > > > not necessary. > > > But if the password and the shadow information is stored in a remote > > > service, where you need the old password to change it, you have lost. > > > Is there really no way to get the AUTHTOK used in > > > pam_sm_authenticate() from pam_sm_chauthtok()? Do I really have to > > > ask the user a second time for his password? > > I don't see any general solution to the question of having to prompt for > > the password a second time when changing the password. And indeed, I > > don't think this is /all/ bad; I can't think of anything pre-PAM that > > did any better, and PAM's support for stackable password changes is a > > definite improvement. > Hm, a normal, shadow capable login program can do it, because it can > save the first password and reuse it later. The example I was thinking of was sshd, which has (AFAIK) always, in all incarnations, needed to invoke /usr/bin/passwd after authentication if the account is expired. I guess it's been so long since I used a plain, PAMless shadow app that I've forgotten how they worked. :) Steve Langasek postmodern programmer
Attachment:
pgp00046.pgp
Description: PGP signature
