]>
Commit | Line | Data |
---|---|---|
5545a732 JR |
1 | - login omits pam_acct_mgmt & pam_chauthtok when authentication is skipped |
2 | ||
3 | --- util-linux-2.13-pre6/login-utils/login.c.acct 2006-02-22 21:43:03.000000000 +0100 | |
4 | +++ util-linux-2.13-pre6/login-utils/login.c 2006-02-22 21:57:55.000000000 +0100 | |
5 | @@ -602,16 +602,22 @@ | |
6 | pam_end(pamh, retcode); | |
7 | exit(0); | |
8 | } | |
9 | + } | |
10 | ||
11 | - retcode = pam_acct_mgmt(pamh, 0); | |
12 | - | |
13 | - if(retcode == PAM_NEW_AUTHTOK_REQD) { | |
14 | - retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); | |
15 | - } | |
16 | + /* | |
17 | + * Authentication may be skipped (for example, during krlogin, rlogin, etc...), | |
18 | + * but it doesn't mean that we can skip other account checks. The account | |
19 | + * could be disabled or password expired (althought kerberos ticket is valid). | |
20 | + * -- kzak@redhat.com (22-Feb-2006) | |
21 | + */ | |
22 | + retcode = pam_acct_mgmt(pamh, 0); | |
23 | ||
24 | - PAM_FAIL_CHECK; | |
25 | + if(retcode == PAM_NEW_AUTHTOK_REQD) { | |
26 | + retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); | |
27 | } | |
28 | ||
29 | + PAM_FAIL_CHECK; | |
30 | + | |
31 | /* | |
32 | * Grab the user information out of the password file for future usage | |
33 | * First get the username that we are actually using, though. |