On Mon, Jan 27, 2014 at 08:55:05PM +0100, Yves-Alexis Perez wrote:
> > Steve about the man page:
> > > Well, this information from the manpage authoritatively describes how the
> > > flag is meant to be used: if pam_chauthtok() is being called to request
> > > changing expired tokens, the flag is expected to be passed.
> That's not what it says:
> PAM_CHANGE_EXPIRED_AUTHTOK
> This argument indicates to the modules that the users
> authentication token (password) should only be changed if it has
> expired. If this argument is not passed, the application requires
> that all authentication tokens are to be changed.
> I'm not a native speaker, but I parse as “if it's passed, the password
> won't be changed if it has expired” and “if it's not passed, all the
> authentication tokens should be changed”. Nothing relevant to the
> superuser is given here, and nothing says flag must be passed in order
> to change expired password.
> So maybe it should be rephrased to more precisely describe what it does?
I don't think there's anything imprecise here. It says nothing about the
superuser because that's not part of the spec; it's a side effect of the
application misusing the API.
If an application is enforcing a password change policy on the user by
forcing expired passwords to be reset, you must be passing
PAM_CHANGE_EXPIRED_AUTHTOK. The application should not be calling
pam_chauthtok() *without* PAM_CHANGE_EXPIRED_AUTHTOK unless there's a
user-initiated request for changing the password. It's just wrong for the
application to insist all un-expired authentication tokens be changed just
because one authentication token is expired.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>
On Mon, Jan 27, 2014 at 08:55:05PM +0100, Yves-Alexis Perez wrote:
> > Steve about the man page:
> > > Well, this information from the manpage authoritatively describes how the
> > > flag is meant to be used: if pam_chauthtok() is being called to request
> > > changing expired tokens, the flag is expected to be passed.
> That's not what it says:
> PAM_CHANGE_ EXPIRED_ AUTHTOK
> This argument indicates to the modules that the users
> authentication token (password) should only be changed if it has
> expired. If this argument is not passed, the application requires
> that all authentication tokens are to be changed.
> I'm not a native speaker, but I parse as “if it's passed, the password
> won't be changed if it has expired” and “if it's not passed, all the
> authentication tokens should be changed”. Nothing relevant to the
> superuser is given here, and nothing says flag must be passed in order
> to change expired password.
> So maybe it should be rephrased to more precisely describe what it does?
I don't think there's anything imprecise here. It says nothing about the
superuser because that's not part of the spec; it's a side effect of the
application misusing the API.
If an application is enforcing a password change policy on the user by EXPIRED_ AUTHTOK. The application should not be calling EXPIRED_ AUTHTOK unless there's a
forcing expired passwords to be reset, you must be passing
PAM_CHANGE_
pam_chauthtok() *without* PAM_CHANGE_
user-initiated request for changing the password. It's just wrong for the
application to insist all un-expired authentication tokens be changed just
because one authentication token is expired.
-- www.debian. org/
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://
<email address hidden> <email address hidden>