* NEWS, src/login.c: Also check if the authentication token of the

user has to be updated in case the user was already authenticated.

ChangeLog

@@ -1,3 +1,8 @@
+2009-04-19  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/login.c: Also check if the authentication token of the
+	user has to be updated in case the user was already authenticated.
+
 2009-04-19  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/login.c: fflg is already restricted to root. Move

NEWS

@@ -5,6 +5,8 @@ shadow-4.1.3.1 -> shadow-4.1.3.2					UNRELEASED
 - login
   * Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
     lead to DOS attacks.
+  * (PAM) Even if the user was already authenticated (-f flag), ask the
+    user to update his authentication token if needed.
 
 shadow-4.1.3 -> shadow-4.1.3.1						2009-04-15
 

src/login.c

@@ -811,18 +811,15 @@ int main (int argc, char **argv)
 
 		/* We don't get here unless they were authenticated above */
 		alarm (0);
-		retcode = pam_acct_mgmt (pamh, 0);
-
-		if (retcode == PAM_NEW_AUTHTOK_REQD) {
-			retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-		}
-
-		PAM_FAIL_CHECK;
-	} else (fflg) {
-		retcode = pam_acct_mgmt (pamh, 0);
-		PAM_FAIL_CHECK;
 	}
 
+	/* Check the account validity */
+	retcode = pam_acct_mgmt (pamh, 0);
+	if (retcode == PAM_NEW_AUTHTOK_REQD) {
+		retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+	}
+	PAM_FAIL_CHECK;
+
 	/* Grab the user information out of the password file for future usage
 	   First get the username that we are actually using, though.
 	 */