[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Pkg-xfce-devel] Bug#735670: Bug#735670: lightdm ask ldap administrator password when changing a password expired

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Wed, Jan 29, 2014 at 07:16:01PM +0000, Steve Langasek wrote:
> On Mon, Jan 27, 2014 at 08:55:05PM +0100, Yves-Alexis Perez wrote:
> 
> > > Steve about the man page:
> > > > Well, this information from the manpage authoritatively describes how the
> > > > flag is meant to be used: if pam_chauthtok() is being called to request
> > > > changing expired tokens, the flag is expected to be passed.
> 
> > That's not what it says:
> 
> > PAM_CHANGE_EXPIRED_AUTHTOK
> >      This argument indicates to the modules that the users
> >      authentication token (password) should only be changed if it has
> >      expired. If this argument is not passed, the application requires
> >      that all authentication tokens are to be changed.
> 
> > I'm not a native speaker, but I parse as ?if it's passed, the password
> > won't be changed if it has expired? and ?if it's not passed, all the
> > authentication tokens should be changed?. Nothing relevant to the
> > superuser is given here, and nothing says flag must be passed in order
> > to change expired password.
> 
> > So maybe it should be rephrased to more precisely describe what it does?
> 
> I don't think there's anything imprecise here.  It says nothing about the
> superuser because that's not part of the spec; it's a side effect of the
> application misusing the API.
> 
> If an application is enforcing a password change policy on the user by

It seems that PAM is actually considering the password expired and wants
it changed, I'm not sure the application is really enforcing anything.

> forcing expired passwords to be reset, you must be passing
> PAM_CHANGE_EXPIRED_AUTHTOK.  The application should not be calling
> pam_chauthtok() *without* PAM_CHANGE_EXPIRED_AUTHTOK unless there's a
> user-initiated request for changing the password.

Well, again, I think that needs to be clarified in the documentation.
Because it's pretty clear when you say it, but it's definitely not in
the man page.

> It's just wrong for the
> application to insist all un-expired authentication tokens be changed just
> because one authentication token is expired.

Since the beginning I take ?authentication token? as ?password?, but I
have the feeling it's more than that, so feel free to point me to some
documentation here

Regards,
- -- 
Yves-Alexis Perez
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBCgAGBQJS6WRUAAoJEG3bU/KmdcCl6gEH/juXfN+c6ZZHyCCYAmx7gITB
ti5FAJFsgBjOrFHUwEafGC6ZbHRDSwmeUVb+Nj9/8A5/iGegbB+KM9XzRmQPOmWg
T3m87bSnbK5LT7B7sAM1Q/XxpmB3xLqmRYraiYZBbw8gDvqhcr4TMAB7i8BBZSor
ZvzgDLX9s+uwZfhrc5ABVIjfyPglOLlTAOOrlWGEZBkmXfWlTS71MIf8IHvz9xDm
sTajoDLkStFPjgiQUpzDWq8/0iQbw7GGIrtBrIg+hm2g99g3j7flUmqc3uYXB39G
TZpDg5JzGIt7NBYMcAoUHnLqCSU9LIi1BBWWqZS7qZWu1Ok67cEu0Y1SKSPi/W8=
=OUJD
-----END PGP SIGNATURE-----
Reply to: