- in login, allow PAM to interact with the user when they've been strongly

authenticated
- in login, signal PAM when we're changing an expired password that it's an
    expired password, so that when cracklib flags a password as being weak
    it's treated as an error even if we're running as root

krb5-1.6.1-pam.patch

@@ -240,7 +240,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
  
 +#ifdef USE_PAM
 +    if (login_use_pam) {
-+	if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 0, username, "",
++	if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "",
 +			       ttyname(STDIN_FILENO)) != 0) {
 +	    printf("Login incorrect\n");
 +	    sleepexit(1);
@@ -652,9 +652,9 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +	int ret = 0;
 +	if (appl_pam_started) {
 +#ifdef DEBUG
-+		printf("Changing PAM authentication token.\n");
++		printf("Changing PAM expired authentication token.\n");
 +#endif
-+		ret = pam_chauthtok(appl_pamh, 0);
++		ret = pam_chauthtok(appl_pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
 +	}
 +	return ret;
 +}

krb5.spec

@@ -226,6 +226,13 @@ to obtain initial credentials from a KDC using a private key and a
 certificate.
 
 %changelog
+* Mon Feb 25 2008 Nalin Dahyabhai <nalin@redhat.com>
+- in login, allow PAM to interact with the user when they've been strongly
+  authenticated
+- in login, signal PAM when we're changing an expired password that it's an
+  expired password, so that when cracklib flags a password as being weak it's
+  treated as an error even if we're running as root
+
 * Mon Feb 18 2008 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-7
 - drop netdb patch
 - kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that