[29115] in Kerberos
Re: pam-krb5 3.10 released
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sat Jan 19 15:23:17 2008
To: kerberos@mit.edu
In-Reply-To: <13p4dhr33jhulb0@corp.supernews.com> (Markus Moeller's message of
"Sat\, 19 Jan 2008 17\:40\:56 -0000")
From: Russ Allbery <rra@stanford.edu>
Date: Sat, 19 Jan 2008 12:22:23 -0800
Message-ID: <871w8dd0qo.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Markus Moeller" <huaraz@moeller.plus.com> writes:
> I usually don't use the change password feature, but I now checked the
> pam help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux and
> Solaris it states that only pam_acct_mgmt should return
> PAM_NEW_AUTHTOK_REQD for exired passwords not pam_sm_authenticate. I
> haven't yet checked the Openssh and others sources, but I think you need
> to save the state you get inpam_sm_authenticate and use it in
> pam_sm_acct_mgmt.
Yeah, this is how the documentation claims that PAM should work, but it
doesn't actually work this way and most applications don't expect it to
work this way. In practice, pam-krb5 will usually not return
PAM_NEW_AUTHTOK_REQD anyway since the Kerberos library will handle the
password change immediately.
Currently, the module somewhat intentionally doesn't support the way in
which password changes supposedly work since I've never seen any software
that needed that behavior, but I suppose it could be added.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
