[Pkg-shadow-commits] r2711 - in upstream/trunk: . src

[Nicolas FRANÇOIS]

Author: nekral-guest
Date: 2009-04-19 16:22:17 +0000 (Sun, 19 Apr 2009)
New Revision: 2711

Modified:
   upstream/trunk/ChangeLog
   upstream/trunk/NEWS
   upstream/trunk/src/login.c
Log:
	* NEWS, src/login.c: Also check if the authentication token of the
	user has to be updated in case the user was already authenticated.


Modified: upstream/trunk/ChangeLog
===================================================================
--- upstream/trunk/ChangeLog	2009-04-19 16:09:00 UTC (rev 2710)
+++ upstream/trunk/ChangeLog	2009-04-19 16:22:17 UTC (rev 2711)
@@ -1,5 +1,10 @@
 2009-04-19  Nicolas François  <nicolas.francois at centraliens.net>
 
+	* NEWS, src/login.c: Also check if the authentication token of the
+	user has to be updated in case the user was already authenticated.
+
+2009-04-19  Nicolas François  <nicolas.francois at centraliens.net>
+
 	* src/login.c: fflg is already restricted to root. Move
 	pam_acct_mgmt(), in case of fflg, earlier. This is equivalent and
 	simplifies the code.

Modified: upstream/trunk/NEWS
===================================================================
--- upstream/trunk/NEWS	2009-04-19 16:09:00 UTC (rev 2710)
+++ upstream/trunk/NEWS	2009-04-19 16:22:17 UTC (rev 2711)
@@ -5,6 +5,8 @@
 - login
   * Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
     lead to DOS attacks.
+  * (PAM) Even if the user was already authenticated (-f flag), ask the
+    user to update his authentication token if needed.
 
 shadow-4.1.3 -> shadow-4.1.3.1						2009-04-15
 

Modified: upstream/trunk/src/login.c
===================================================================
--- upstream/trunk/src/login.c	2009-04-19 16:09:00 UTC (rev 2710)
+++ upstream/trunk/src/login.c	2009-04-19 16:22:17 UTC (rev 2711)
@@ -811,17 +811,14 @@
 
 		/* We don't get here unless they were authenticated above */
 		alarm (0);
-		retcode = pam_acct_mgmt (pamh, 0);
+	}
 
-		if (retcode == PAM_NEW_AUTHTOK_REQD) {
-			retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-		}
-
-		PAM_FAIL_CHECK;
-	} else (fflg) {
-		retcode = pam_acct_mgmt (pamh, 0);
-		PAM_FAIL_CHECK;
+	/* Check the account validity */
+	retcode = pam_acct_mgmt (pamh, 0);
+	if (retcode == PAM_NEW_AUTHTOK_REQD) {
+		retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
 	}
+	PAM_FAIL_CHECK;
 
 	/* Grab the user information out of the password file for future usage
 	   First get the username that we are actually using, though.