tl-pam-passwd currently tries to "parse" the PAM prompts, and find out what prompt is the prompt for the old password, what prompt is the prompt for the new passwords etc. This usually works, but has several drawbacks. PAM is, by definition, an interactive system. It's not possible to have a program "interpret" the prompts in a reliable way. A much more straightforward approach would be to pass the PAM prompts directly up to the GUI. One drawback with this approach is that PAM is not normally translated. We could solve this by having tl-passwd translate strings from well-known PAM modules, such as pam_ldap. That should work good-enough. One advantage with this approach is that we will no longer need to call lsh-pam-checkpw from tl-passwd. Currently, you might up in a situation where you can login, but not change the password.
Hmm.. Perhaps we should reconsider tl-passwd completely now when we have better client support for password changes (bug 2640, bug 1108, bug 2760)? Depends a bit on if it's possible to make all pam modules use keyboard interactive for example for grace login support. If we decide to keep tl-passwd, without trying to translate, we still need to know which prompt response is the new password, to be able to update the SSO info. Perhaps the same regexp-solution as the client uses would work?
tl-passwd has been removed from the product.
