util-linux/util-linux-2.13-login-pam-acct.patch
2006-02-23 14:19:40 +00:00

32 lines
1.0 KiB
Diff

--- util-linux-2.13-pre6/login-utils/login.c.acct 2006-02-22 21:43:03.000000000 +0100
+++ util-linux-2.13-pre6/login-utils/login.c 2006-02-22 21:57:55.000000000 +0100
@@ -602,16 +602,22 @@
pam_end(pamh, retcode);
exit(0);
}
+ }
- retcode = pam_acct_mgmt(pamh, 0);
-
- if(retcode == PAM_NEW_AUTHTOK_REQD) {
- retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
- }
+ /*
+ * Authentication may be skipped (for example, during krlogin, rlogin, etc...),
+ * but it doesn't mean that we can skip other account checks. The account
+ * could be disabled or password expired (althought kerberos ticket is valid).
+ * -- kzak@redhat.com (22-Feb-2006)
+ */
+ retcode = pam_acct_mgmt(pamh, 0);
- PAM_FAIL_CHECK;
+ if(retcode == PAM_NEW_AUTHTOK_REQD) {
+ retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
}
+ PAM_FAIL_CHECK;
+
/*
* Grab the user information out of the password file for future usage
* First get the username that we are actually using, though.