Blame util-linux-2.13-login-pam-acct.patch
|
 |
5896f9a |
--- util-linux-2.13-pre6/login-utils/login.c.acct 2006-02-22 21:43:03.000000000 +0100
|
|
|
5896f9a |
+++ util-linux-2.13-pre6/login-utils/login.c 2006-02-22 21:57:55.000000000 +0100
|
|
|
5896f9a |
@@ -602,16 +602,22 @@
|
|
|
5896f9a |
pam_end(pamh, retcode);
|
|
|
5896f9a |
exit(0);
|
|
|
5896f9a |
}
|
|
|
5896f9a |
+ }
|
|
|
5896f9a |
|
|
|
5896f9a |
- retcode = pam_acct_mgmt(pamh, 0);
|
|
|
5896f9a |
-
|
|
|
5896f9a |
- if(retcode == PAM_NEW_AUTHTOK_REQD) {
|
|
|
5896f9a |
- retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
|
|
5896f9a |
- }
|
|
|
5896f9a |
+ /*
|
|
|
5896f9a |
+ * Authentication may be skipped (for example, during krlogin, rlogin, etc...),
|
|
|
5896f9a |
+ * but it doesn't mean that we can skip other account checks. The account
|
|
|
5896f9a |
+ * could be disabled or password expired (althought kerberos ticket is valid).
|
|
|
5896f9a |
+ * -- kzak@redhat.com (22-Feb-2006)
|
|
|
5896f9a |
+ */
|
|
|
5896f9a |
+ retcode = pam_acct_mgmt(pamh, 0);
|
|
|
5896f9a |
|
|
|
5896f9a |
- PAM_FAIL_CHECK;
|
|
|
5896f9a |
+ if(retcode == PAM_NEW_AUTHTOK_REQD) {
|
|
|
5896f9a |
+ retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
|
|
5896f9a |
}
|
|
|
5896f9a |
|
|
|
5896f9a |
+ PAM_FAIL_CHECK;
|
|
|
5896f9a |
+
|
|
|
5896f9a |
/*
|
|
|
5896f9a |
* Grab the user information out of the password file for future usage
|
|
|
5896f9a |
* First get the username that we are actually using, though.
|