diff options
Diffstat (limited to 'login-utils/login.c')
| -rw-r--r-- | login-utils/login.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/login-utils/login.c b/login-utils/login.c index 3948cb7d1..1715015d5 100644 --- a/login-utils/login.c +++ b/login-utils/login.c @@ -582,16 +582,22 @@ main(int argc, char **argv) pam_end(pamh, retcode); exit(0); } + } - retcode = pam_acct_mgmt(pamh, 0); - - if(retcode == PAM_NEW_AUTHTOK_REQD) { - retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); - } + /* + * Authentication may be skipped (for example, during krlogin, rlogin, etc...), + * but it doesn't mean that we can skip other account checks. The account + * could be disabled or password expired (althought kerberos ticket is valid). + * -- kzak@redhat.com (22-Feb-2006) + */ + retcode = pam_acct_mgmt(pamh, 0); - PAM_FAIL_CHECK; + if(retcode == PAM_NEW_AUTHTOK_REQD) { + retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); } + PAM_FAIL_CHECK; + /* * Grab the user information out of the password file for future usage * First get the username that we are actually using, though. |