# Test deferring handling of expired passwords.  -*- conf -*-
#
# Written by Russ Allbery <eagle@eyrie.org>
# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
# Copyright 2010-2011
#     The Board of Trustees of the Leland Stanford Junior University
#
# SPDX-License-Identifier: BSD-3-clause or GPL-1+

[options]
    auth     = defer_pwchange use_first_pass
    account  = ignore_k5login
    password = ignore_k5login use_first_pass

[run]
    authenticate              = PAM_SUCCESS
    acct_mgmt                 = PAM_NEW_AUTHTOK_REQD
    chauthtok(PRELIM_CHECK)   = PAM_SUCCESS
    chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS
    acct_mgmt                 = PAM_SUCCESS
    open_session              = PAM_SUCCESS
    close_session             = PAM_SUCCESS

[prompts]
    echo_off = Current Kerberos password: |%p
    echo_off = Enter new Kerberos password: |%n
    echo_off = Retype new Kerberos password: |%n

[output]
    INFO user %u authenticated as %0 (expired)
    INFO user %u account password is expired
    INFO user %u changed Kerberos password
    INFO user %u authenticated as %0