diff options
author | Sumit Bose <sbose@redhat.com> | 2010-02-22 09:10:32 +0100 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-02-23 16:16:24 -0500 |
commit | 7343ee3d775303845e2528c676c59ef3582d6b27 (patch) | |
tree | 430a3aff0b029462db53a40272811b3733bbe7b7 /src/sss_client/sss_cli.h | |
parent | 94cafd6f5b63aac3ad084d14fa3be24213374021 (diff) | |
download | sssd-7343ee3d775303845e2528c676c59ef3582d6b27.tar.gz sssd-7343ee3d775303845e2528c676c59ef3582d6b27.tar.xz sssd-7343ee3d775303845e2528c676c59ef3582d6b27.zip |
Handle expired passwords like other PAM modules
So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.
As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one.
Diffstat (limited to 'src/sss_client/sss_cli.h')
-rw-r--r-- | src/sss_client/sss_cli.h | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index 522e0792a..1953db2f4 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -144,7 +144,26 @@ enum sss_cli_command { /* PAM related calls */ SSS_PAM_AUTHENTICATE = 0x00F1, /**< see pam_sm_authenticate(3) for - * details */ + * details. + * + * Additionally we allow sssd to send + * the return code PAM_NEW_AUTHTOK_REQD + * during authentication if the + * authentication was successful but + * the authentication token is expired. + * To meet the standards of libpam we + * return PAM_SUCCESS for + * authentication and set a flag so + * that the account management module + * can return PAM_NEW_AUTHTOK_REQD if + * sssd return success for account + * management. We do this to reduce the + * communication with external servers, + * because there are cases, e.g. + * Kerberos authentication, where the + * information that the password is + * expired is already available during + * authentication. */ SSS_PAM_SETCRED = 0x00F2, /**< see pam_sm_setcred(3) for * details */ SSS_PAM_ACCT_MGMT = 0x00F3, /**< see pam_sm_acct_mgmt(3) for |