- login omits pam_acct_mgmt & pam_chauthtok when authentication is skipped

--- util-linux-2.13-pre6/login-utils/login.c.acct	2006-02-22 21:43:03.000000000 +0100
+++ util-linux-2.13-pre6/login-utils/login.c	2006-02-22 21:57:55.000000000 +0100
@@ -602,16 +602,22 @@
 	    pam_end(pamh, retcode);
 	    exit(0);
 	}
+    }
 
-	retcode = pam_acct_mgmt(pamh, 0);
-
-	if(retcode == PAM_NEW_AUTHTOK_REQD) {
-	    retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-	}
+    /*
+     * Authentication may be skipped (for example, during krlogin, rlogin, etc...), 
+     * but it doesn't mean that we can skip other account checks. The account 
+     * could be disabled or password expired (althought kerberos ticket is valid).
+     * -- kzak@redhat.com (22-Feb-2006)
+     */
+    retcode = pam_acct_mgmt(pamh, 0);
 
-	PAM_FAIL_CHECK;
+    if(retcode == PAM_NEW_AUTHTOK_REQD) {
+        retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
     }
 
+    PAM_FAIL_CHECK;
+
     /*
      * Grab the user information out of the password file for future usage
      * First get the username that we are actually using, though.