Handle expired passwords like other PAM modules

So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.
author: Sumit Bose <sbose@redhat.com> 2010-02-22 09:10:32 +0100
committer: Stephen Gallagher <sgallagh@redhat.com> 2010-02-23 16:16:24 -0500
commit: 7343ee3d775303845e2528c676c59ef3582d6b27 (patch)
tree: 430a3aff0b029462db53a40272811b3733bbe7b7 /src/sss_client/sss_cli.h
parent: 94cafd6f5b63aac3ad084d14fa3be24213374021 (diff)
download: sssd-7343ee3d775303845e2528c676c59ef3582d6b27.tar.gz
sssd-7343ee3d775303845e2528c676c59ef3582d6b27.tar.xz
sssd-7343ee3d775303845e2528c676c59ef3582d6b27.zip
1 files changed, 20 insertions, 1 deletions
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 522e0792a..1953db2f4 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -144,7 +144,26 @@ enum sss_cli_command {
 
 /* PAM related calls */
     SSS_PAM_AUTHENTICATE     = 0x00F1, /**< see pam_sm_authenticate(3) for
-                                        * details */
+                                        * details.
+                                        *
+                                        * Additionally we allow sssd to send
+                                        * the return code PAM_NEW_AUTHTOK_REQD
+                                        * during authentication if the
+                                        * authentication was successful but
+                                        * the authentication token is expired.
+                                        * To meet the standards of libpam we
+                                        * return PAM_SUCCESS for
+                                        * authentication and set a flag so
+                                        * that the account management module
+                                        * can return PAM_NEW_AUTHTOK_REQD if
+                                        * sssd return success for account
+                                        * management. We do this to reduce the
+                                        * communication with external servers,
+                                        * because there are cases, e.g.
+                                        * Kerberos authentication, where the
+                                        * information that the password is
+                                        * expired is already available during
+                                        * authentication. */
     SSS_PAM_SETCRED          = 0x00F2, /**< see pam_sm_setcred(3) for
                                         * details */
     SSS_PAM_ACCT_MGMT        = 0x00F3, /**< see pam_sm_acct_mgmt(3) for
author	Sumit Bose <sbose@redhat.com>	2010-02-22 09:10:32 +0100
committer	Stephen Gallagher <sgallagh@redhat.com>	2010-02-23 16:16:24 -0500
commit	7343ee3d775303845e2528c676c59ef3582d6b27 (patch)
tree	430a3aff0b029462db53a40272811b3733bbe7b7 /src/sss_client/sss_cli.h
parent	94cafd6f5b63aac3ad084d14fa3be24213374021 (diff)
download	sssd-7343ee3d775303845e2528c676c59ef3582d6b27.tar.gz sssd-7343ee3d775303845e2528c676c59ef3582d6b27.tar.xz sssd-7343ee3d775303845e2528c676c59ef3582d6b27.zip