From 7343ee3d775303845e2528c676c59ef3582d6b27 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 22 Feb 2010 09:10:32 +0100 Subject: Handle expired passwords like other PAM modules So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one. --- src/sss_client/sss_cli.h | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'src/sss_client/sss_cli.h') diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index 522e0792a..1953db2f4 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -144,7 +144,26 @@ enum sss_cli_command { /* PAM related calls */ SSS_PAM_AUTHENTICATE = 0x00F1, /**< see pam_sm_authenticate(3) for - * details */ + * details. + * + * Additionally we allow sssd to send + * the return code PAM_NEW_AUTHTOK_REQD + * during authentication if the + * authentication was successful but + * the authentication token is expired. + * To meet the standards of libpam we + * return PAM_SUCCESS for + * authentication and set a flag so + * that the account management module + * can return PAM_NEW_AUTHTOK_REQD if + * sssd return success for account + * management. We do this to reduce the + * communication with external servers, + * because there are cases, e.g. + * Kerberos authentication, where the + * information that the password is + * expired is already available during + * authentication. */ SSS_PAM_SETCRED = 0x00F2, /**< see pam_sm_setcred(3) for * details */ SSS_PAM_ACCT_MGMT = 0x00F3, /**< see pam_sm_acct_mgmt(3) for -- cgit