Hi,
I was doing some research on why new openssh-versions (3.4 and 3.5p1)
doesnt ask you to change expired passwords (it just disconnects you) and
found something curious.
Line 259 of auth-pam.c has "#if 0" and then the code to set some vars
(eg. password_change_required to true) followed by an "endif". Why is
that? I'm not a C expert, but I think "if 0" is a non-possible
situation, right?
I then removed these conditions, and it worked just fine, changed my
password as it should..
btw, yes, I removed "Privilege Separation" to do these tests.
Here is the piece of code I'm talking about:
switch (pam_retval) {
case PAM_SUCCESS:
/* This is what we want */
break;
#if 0
case PAM_NEW_AUTHTOK_REQD:
message_cat(&__pam_msg, use_privsep ?
NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
/* flag that password change is necessary */
password_change_required = 1;
/* disallow other functionality for now */
no_port_forwarding_flag |= 2;
no_agent_forwarding_flag |= 2;
no_x11_forwarding_flag |= 2;
break;
#endif
default:
log("PAM rejected by account configuration[%d]:
"
"%.200s", pam_retval, PAM_STRERROR(__pamh,
pam_retval));
return(0);
}
