[Pkg-xfce-devel] Bug#735670: Bug#735670: lightdm ask ldap administrator password when changing a password expired

Steve Langasek vorlon at debian.org
Wed Jan 29 19:16:01 UTC 2014 

On Mon, Jan 27, 2014 at 08:55:05PM +0100, Yves-Alexis Perez wrote:

> > Steve about the man page:
> > > Well, this information from the manpage authoritatively describes how the
> > > flag is meant to be used: if pam_chauthtok() is being called to request
> > > changing expired tokens, the flag is expected to be passed.

> That's not what it says:

> PAM_CHANGE_EXPIRED_AUTHTOK
>      This argument indicates to the modules that the users
>      authentication token (password) should only be changed if it has
>      expired. If this argument is not passed, the application requires
>      that all authentication tokens are to be changed.

> I'm not a native speaker, but I parse as “if it's passed, the password
> won't be changed if it has expired” and “if it's not passed, all the
> authentication tokens should be changed”. Nothing relevant to the
> superuser is given here, and nothing says flag must be passed in order
> to change expired password.

> So maybe it should be rephrased to more precisely describe what it does?

I don't think there's anything imprecise here.  It says nothing about the
superuser because that's not part of the spec; it's a side effect of the
application misusing the API.

If an application is enforcing a password change policy on the user by
forcing expired passwords to be reset, you must be passing
PAM_CHANGE_EXPIRED_AUTHTOK.  The application should not be calling
pam_chauthtok() *without* PAM_CHANGE_EXPIRED_AUTHTOK unless there's a
user-initiated request for changing the password.  It's just wrong for the
application to insist all un-expired authentication tokens be changed just
because one authentication token is expired.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20140129/1db923a6/attachment.sig>

More information about the Pkg-xfce-devel mailing list