Blob Blame History Raw
--- a/src/vlock/auth.c
+++ b/src/vlock/auth.c
@@ -4,7 +4,7 @@
   PAM authentication routine for vlock, the VT locking program for linux.
 
   Copyright (C) 1994-1998 Michael K. Johnson <johnsonm@redhat.com>
-  Copyright (C) 2002, 2005 Dmitry V. Levin <ldv@altlinux.org>
+  Copyright (C) 2002, 2005, 2013 Dmitry V. Levin <ldv@altlinux.org>
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -36,6 +36,25 @@
 /* Unrecognized PAM error timeout. */
 #define	ERROR_TIMEOUT	10
 
+static int
+do_account_password_management (pam_handle_t *pamh)
+{
+	int rc;
+
+	/* Whether the authenticated user is allowed to log in? */
+	rc = pam_acct_mgmt (pamh, 0);
+
+	/* Do we need to prompt the user for a new password? */
+	if (rc == PAM_NEW_AUTHTOK_REQD)
+		rc = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+
+	/* Extend the lifetime of the existing credentials. */
+	if (rc == PAM_SUCCESS)
+		rc = pam_setcred (pamh, PAM_REFRESH_CRED);
+
+	return rc;
+}
+
 int
 get_password (pam_handle_t * pamh, const char *username, const char *tty)
 {
@@ -84,6 +103,23 @@ get_password (pam_handle_t * pamh, const char *username, const char *tty)
 		switch (rc)
 		{
 			case PAM_SUCCESS:
+				rc = do_account_password_management (pamh);
+
+				if (rc != PAM_SUCCESS)
+				{
+					/*
+					 * The user was authenticated but
+					 * either account or password management
+					 * returned an error.
+					 */
+					printf ("%s.\n\n\n",
+						pam_strerror (pamh, rc));
+					fflush (stdout);
+					pam_end (pamh, rc);
+					pamh = 0;
+					break;
+				}
+
 				pam_end (pamh, rc);
 				/* Log the fact of console unlocking. */
 				syslog (LOG_NOTICE,