* NEWS, src/login.c: Also check if the authentication token of the

user has to be updated in case the user was already authenticated.
This commit is contained in:
nekral-guest 2009-04-19 16:22:17 +00:00
parent ca10b825c7
commit 131e95ffaf
3 changed files with 14 additions and 10 deletions

View File

@ -1,3 +1,8 @@
2009-04-19 Nicolas François <nicolas.francois@centraliens.net>
* NEWS, src/login.c: Also check if the authentication token of the
user has to be updated in case the user was already authenticated.
2009-04-19 Nicolas François <nicolas.francois@centraliens.net>
* src/login.c: fflg is already restricted to root. Move

2
NEWS
View File

@ -5,6 +5,8 @@ shadow-4.1.3.1 -> shadow-4.1.3.2 UNRELEASED
- login
* Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
lead to DOS attacks.
* (PAM) Even if the user was already authenticated (-f flag), ask the
user to update his authentication token if needed.
shadow-4.1.3 -> shadow-4.1.3.1 2009-04-15

View File

@ -811,18 +811,15 @@ int main (int argc, char **argv)
/* We don't get here unless they were authenticated above */
alarm (0);
retcode = pam_acct_mgmt (pamh, 0);
if (retcode == PAM_NEW_AUTHTOK_REQD) {
retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
}
PAM_FAIL_CHECK;
} else (fflg) {
retcode = pam_acct_mgmt (pamh, 0);
PAM_FAIL_CHECK;
}
/* Check the account validity */
retcode = pam_acct_mgmt (pamh, 0);
if (retcode == PAM_NEW_AUTHTOK_REQD) {
retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
}
PAM_FAIL_CHECK;
/* Grab the user information out of the password file for future usage
First get the username that we are actually using, though.
*/