-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Wed, Jan 29, 2014 at 07:16:01PM +0000, Steve Langasek wrote: > On Mon, Jan 27, 2014 at 08:55:05PM +0100, Yves-Alexis Perez wrote: > > > > Steve about the man page: > > > > Well, this information from the manpage authoritatively describes how > > > > the > > > > flag is meant to be used: if pam_chauthtok() is being called to request > > > > changing expired tokens, the flag is expected to be passed. > > > That's not what it says: > > > PAM_CHANGE_EXPIRED_AUTHTOK > > This argument indicates to the modules that the users > > authentication token (password) should only be changed if it has > > expired. If this argument is not passed, the application requires > > that all authentication tokens are to be changed. > > > I'm not a native speaker, but I parse as “if it's passed, the password > > won't be changed if it has expired” and “if it's not passed, all the > > authentication tokens should be changed”. Nothing relevant to the > > superuser is given here, and nothing says flag must be passed in order > > to change expired password. > > > So maybe it should be rephrased to more precisely describe what it does? > > I don't think there's anything imprecise here. It says nothing about the > superuser because that's not part of the spec; it's a side effect of the > application misusing the API. > > If an application is enforcing a password change policy on the user by
It seems that PAM is actually considering the password expired and wants it changed, I'm not sure the application is really enforcing anything. > forcing expired passwords to be reset, you must be passing > PAM_CHANGE_EXPIRED_AUTHTOK. The application should not be calling > pam_chauthtok() *without* PAM_CHANGE_EXPIRED_AUTHTOK unless there's a > user-initiated request for changing the password. Well, again, I think that needs to be clarified in the documentation. Because it's pretty clear when you say it, but it's definitely not in the man page. > It's just wrong for the > application to insist all un-expired authentication tokens be changed just > because one authentication token is expired. Since the beginning I take “authentication token” as “password”, but I have the feeling it's more than that, so feel free to point me to some documentation here Regards, - -- Yves-Alexis Perez -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCgAGBQJS6WRUAAoJEG3bU/KmdcCl6gEH/juXfN+c6ZZHyCCYAmx7gITB ti5FAJFsgBjOrFHUwEafGC6ZbHRDSwmeUVb+Nj9/8A5/iGegbB+KM9XzRmQPOmWg T3m87bSnbK5LT7B7sAM1Q/XxpmB3xLqmRYraiYZBbw8gDvqhcr4TMAB7i8BBZSor ZvzgDLX9s+uwZfhrc5ABVIjfyPglOLlTAOOrlWGEZBkmXfWlTS71MIf8IHvz9xDm sTajoDLkStFPjgiQUpzDWq8/0iQbw7GGIrtBrIg+hm2g99g3j7flUmqc3uYXB39G TZpDg5JzGIt7NBYMcAoUHnLqCSU9LIi1BBWWqZS7qZWu1Ok67cEu0Y1SKSPi/W8= =OUJD -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
