[Pkg-xfce-devel] Bug#735670: Bug#735670: lightdm ask ldap administrator password when changing a password expired
vorlon at debian.org
Wed Jan 29 19:16:01 UTC 2014
On Mon, Jan 27, 2014 at 08:55:05PM +0100, Yves-Alexis Perez wrote:
> > Steve about the man page:
> > > Well, this information from the manpage authoritatively describes how the
> > > flag is meant to be used: if pam_chauthtok() is being called to request
> > > changing expired tokens, the flag is expected to be passed.
> That's not what it says:
> This argument indicates to the modules that the users
> authentication token (password) should only be changed if it has
> expired. If this argument is not passed, the application requires
> that all authentication tokens are to be changed.
> I'm not a native speaker, but I parse as “if it's passed, the password
> won't be changed if it has expired” and “if it's not passed, all the
> authentication tokens should be changed”. Nothing relevant to the
> superuser is given here, and nothing says flag must be passed in order
> to change expired password.
> So maybe it should be rephrased to more precisely describe what it does?
I don't think there's anything imprecise here. It says nothing about the
superuser because that's not part of the spec; it's a side effect of the
application misusing the API.
If an application is enforcing a password change policy on the user by
forcing expired passwords to be reset, you must be passing
PAM_CHANGE_EXPIRED_AUTHTOK. The application should not be calling
pam_chauthtok() *without* PAM_CHANGE_EXPIRED_AUTHTOK unless there's a
user-initiated request for changing the password. It's just wrong for the
application to insist all un-expired authentication tokens be changed just
because one authentication token is expired.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: Digital signature
More information about the Pkg-xfce-devel