Hi there, is there any reason why the code for supporting expired PAM accounts in auth-pam.c:do_pam_account is commented out? Ie. it is not possible to log in to an expired account. When you enable this, the login procedure asks for a new password - all of this seems to work fine. This was enabled in version 3.1 or so, but now? Thanks Stephan -- Stephan M?ller Stephan.Mueller at atsec.com Whenever you eliminate the impossible, whatever remains, however improbable, must be the truth.
On Mon, 24 Jun 2002, Stephan Mueller wrote:> Hi there, > > is there any reason why the code for supporting expired PAM accounts in > auth-pam.c:do_pam_account is commented out? > > Ie. it is not possible to log in to an expired account. When you enable this, > the login procedure asks for a new password - all of this seems to work fine. > > This was enabled in version 3.1 or so, but now? >There are conflicts in the way PAM works and how PrivSep works. It's on the list of things to fix. - Ben
Possibly Parallel Threads
- PAMAuthenticationViaKbdInt and KeyAuth
- [Bug 808] segfault if not using pam/keyboard-interactive mech and password's expired
- [Bug 256] New: Expired password unchangeable again with pam support
- patch: openssh empty password fail with pam/sshv1
- [PATCH]: Call pam_chauthtok from keyboard-interactive.