On Mon, Jan 27, 2014 at 08:55:05PM +0100, Yves-Alexis Perez wrote: > > Steve about the man page: > > > Well, this information from the manpage authoritatively describes how the > > > flag is meant to be used: if pam_chauthtok() is being called to request > > > changing expired tokens, the flag is expected to be passed.
> That's not what it says: > PAM_CHANGE_EXPIRED_AUTHTOK > This argument indicates to the modules that the users > authentication token (password) should only be changed if it has > expired. If this argument is not passed, the application requires > that all authentication tokens are to be changed. > I'm not a native speaker, but I parse as “if it's passed, the password > won't be changed if it has expired” and “if it's not passed, all the > authentication tokens should be changed”. Nothing relevant to the > superuser is given here, and nothing says flag must be passed in order > to change expired password. > So maybe it should be rephrased to more precisely describe what it does? I don't think there's anything imprecise here. It says nothing about the superuser because that's not part of the spec; it's a side effect of the application misusing the API. If an application is enforcing a password change policy on the user by forcing expired passwords to be reset, you must be passing PAM_CHANGE_EXPIRED_AUTHTOK. The application should not be calling pam_chauthtok() *without* PAM_CHANGE_EXPIRED_AUTHTOK unless there's a user-initiated request for changing the password. It's just wrong for the application to insist all un-expired authentication tokens be changed just because one authentication token is expired. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
