From: nekral-guest Date: Sun, 19 Apr 2009 16:22:17 +0000 (+0000) Subject: * NEWS, src/login.c: Also check if the authentication token of the X-Git-Tag: 4.1.4~171 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=131e95ffaf6cdf630d51814d89ca21c440a0b76b;p=shadow * NEWS, src/login.c: Also check if the authentication token of the user has to be updated in case the user was already authenticated. --- diff --git a/ChangeLog b/ChangeLog index 0098d65c..e2c1d6fc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2009-04-19 Nicolas François + + * NEWS, src/login.c: Also check if the authentication token of the + user has to be updated in case the user was already authenticated. + 2009-04-19 Nicolas François * src/login.c: fflg is already restricted to root. Move diff --git a/NEWS b/NEWS index 39aa7f0c..49525c54 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,8 @@ shadow-4.1.3.1 -> shadow-4.1.3.2 UNRELEASED - login * Do not trust the current utmp entry's ut_line to set PAM_TTY. This could lead to DOS attacks. + * (PAM) Even if the user was already authenticated (-f flag), ask the + user to update his authentication token if needed. shadow-4.1.3 -> shadow-4.1.3.1 2009-04-15 diff --git a/src/login.c b/src/login.c index 4d60bc3d..30f6aab2 100644 --- a/src/login.c +++ b/src/login.c @@ -811,17 +811,14 @@ int main (int argc, char **argv) /* We don't get here unless they were authenticated above */ alarm (0); - retcode = pam_acct_mgmt (pamh, 0); - - if (retcode == PAM_NEW_AUTHTOK_REQD) { - retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); - } + } - PAM_FAIL_CHECK; - } else (fflg) { - retcode = pam_acct_mgmt (pamh, 0); - PAM_FAIL_CHECK; + /* Check the account validity */ + retcode = pam_acct_mgmt (pamh, 0); + if (retcode == PAM_NEW_AUTHTOK_REQD) { + retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); } + PAM_FAIL_CHECK; /* Grab the user information out of the password file for future usage First get the username that we are actually using, though.