+2009-04-19 Nicolas François <nicolas.francois@centraliens.net>
+
+ * NEWS, src/login.c: Also check if the authentication token of the
+ user has to be updated in case the user was already authenticated.
+
2009-04-19 Nicolas François <nicolas.francois@centraliens.net>
* src/login.c: fflg is already restricted to root. Move
- login
* Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
lead to DOS attacks.
+ * (PAM) Even if the user was already authenticated (-f flag), ask the
+ user to update his authentication token if needed.
shadow-4.1.3 -> shadow-4.1.3.1 2009-04-15
/* We don't get here unless they were authenticated above */
alarm (0);
- retcode = pam_acct_mgmt (pamh, 0);
-
- if (retcode == PAM_NEW_AUTHTOK_REQD) {
- retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
- }
+ }
- PAM_FAIL_CHECK;
- } else (fflg) {
- retcode = pam_acct_mgmt (pamh, 0);
- PAM_FAIL_CHECK;
+ /* Check the account validity */
+ retcode = pam_acct_mgmt (pamh, 0);
+ if (retcode == PAM_NEW_AUTHTOK_REQD) {
+ retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
}
+ PAM_FAIL_CHECK;
/* Grab the user information out of the password file for future usage
First get the username that we are actually using, though.
projects / shadow / commitdiff