pam-krb5 3.10 released

[Russ Allbery]

Russ Allbery <rra at stanford.edu> writes:
> "Markus Moeller" <huaraz at moeller.plus.com> writes:

>> I usually don't use the change password feature, but I now checked the
>> pam help for pam_sm_authenticate and pam_sm_acct_mgmt. On both Linux
>> and Solaris it states that only pam_acct_mgmt should return
>> PAM_NEW_AUTHTOK_REQD for exired passwords not pam_sm_authenticate.  I
>> haven't yet checked the Openssh and others sources, but I think you
>> need to save the state you get inpam_sm_authenticate and use it in
>> pam_sm_acct_mgmt.

> Yeah, this is how the documentation claims that PAM should work, but it
> doesn't actually work this way and most applications don't expect it to
> work this way.  In practice, pam-krb5 will usually not return
> PAM_NEW_AUTHTOK_REQD anyway since the Kerberos library will handle the
> password change immediately.

> Currently, the module somewhat intentionally doesn't support the way in
> which password changes supposedly work since I've never seen any
> software that needed that behavior, but I suppose it could be added.

It's worth noting that the supposedly correct behavior cannot be the
default behavior, since (broken) applications that call pam_authenticate
and never call pam_acct_mgmt will then incorrectly grant access to users
with expired passwords.  Such applications are *extremely* common.  It
would have to be an option that one could enable if one was sure that all
of one's applications correctly followed the documented PAM semantics.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>