[Pkg-xfce-devel] Bug#735670: Bug#735670: lightdm ask ldap administrator password when changing a password expired

Yves-Alexis Perez corsac at debian.org
Wed Jan 29 20:28:08 UTC 2014

Hash: SHA512

On Wed, Jan 29, 2014 at 07:16:01PM +0000, Steve Langasek wrote:
> On Mon, Jan 27, 2014 at 08:55:05PM +0100, Yves-Alexis Perez wrote:
> > > Steve about the man page:
> > > > Well, this information from the manpage authoritatively describes how the
> > > > flag is meant to be used: if pam_chauthtok() is being called to request
> > > > changing expired tokens, the flag is expected to be passed.
> > That's not what it says:
> >      This argument indicates to the modules that the users
> >      authentication token (password) should only be changed if it has
> >      expired. If this argument is not passed, the application requires
> >      that all authentication tokens are to be changed.
> > I'm not a native speaker, but I parse as “if it's passed, the password
> > won't be changed if it has expired” and “if it's not passed, all the
> > authentication tokens should be changed”. Nothing relevant to the
> > superuser is given here, and nothing says flag must be passed in order
> > to change expired password.
> > So maybe it should be rephrased to more precisely describe what it does?
> I don't think there's anything imprecise here.  It says nothing about the
> superuser because that's not part of the spec; it's a side effect of the
> application misusing the API.
> If an application is enforcing a password change policy on the user by

It seems that PAM is actually considering the password expired and wants
it changed, I'm not sure the application is really enforcing anything.

> forcing expired passwords to be reset, you must be passing
> PAM_CHANGE_EXPIRED_AUTHTOK.  The application should not be calling
> pam_chauthtok() *without* PAM_CHANGE_EXPIRED_AUTHTOK unless there's a
> user-initiated request for changing the password.

Well, again, I think that needs to be clarified in the documentation.
Because it's pretty clear when you say it, but it's definitely not in
the man page.

> It's just wrong for the
> application to insist all un-expired authentication tokens be changed just
> because one authentication token is expired.

Since the beginning I take “authentication token” as “password”, but I
have the feeling it's more than that, so feel free to point me to some
documentation here

- -- 
Yves-Alexis Perez
Version: GnuPG v2.0.22 (GNU/Linux)


More information about the Pkg-xfce-devel mailing list