From 7343ee3d775303845e2528c676c59ef3582d6b27 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 22 Feb 2010 09:10:32 +0100 Subject: Handle expired passwords like other PAM modules So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one. --- src/providers/krb5/krb5_child.c | 2 +- src/providers/ldap/ldap_auth.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'src/providers') diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index d1cc53fd4..08df59845 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -688,7 +688,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) pam_status = PAM_AUTHINFO_UNAVAIL; break; case KRB5KDC_ERR_KEY_EXP: - pam_status = PAM_AUTHTOK_EXPIRED; + pam_status = PAM_NEW_AUTHTOK_REQD; break; case KRB5KDC_ERR_PREAUTH_FAILED: pam_status = PAM_CRED_ERR; diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c index cfe8adb97..ba1136bdd 100644 --- a/src/providers/ldap/ldap_auth.c +++ b/src/providers/ldap/ldap_auth.c @@ -983,7 +983,7 @@ static void sdap_pam_auth_done(struct tevent_req *req) state->pd->pam_status = PAM_ACCT_EXPIRED; break; case SDAP_AUTH_PW_EXPIRED: - state->pd->pam_status = PAM_AUTHTOK_EXPIRED; + state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; break; default: state->pd->pam_status = PAM_SYSTEM_ERR; -- cgit