From 266b2533ab58c22309adf5bc31363d517298a732 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@ubuntu.com>
Date: Wed, 5 Nov 2008 12:34:02 -0800
Subject: Allow passwords to change on expired accounts, by passing
 new_authtok_reqd return codes immediately (LP: #291091).

---
 debian/pam-configs/unix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'debian/pam-configs')

diff --git a/debian/pam-configs/unix b/debian/pam-configs/unix
index 3bc350e7..4bb6bab4 100644
--- a/debian/pam-configs/unix
+++ b/debian/pam-configs/unix
@@ -8,9 +8,9 @@ Auth-Initial:
 	[success=end default=ignore]	pam_unix.so nullok_secure
 Account-Type: Primary
 Account:
-	[success=end default=ignore]	pam_unix.so
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
 Account-Initial:
-	[success=end default=ignore]	pam_unix.so
+	[success=end new_authtok_reqd=done default=ignore]	pam_unix.so
 Session-Type: Additional
 Session:
 	required	pam_unix.so
-- 
cgit v1.2.3