pam_chauthok and froozen chain problems

[Dustin Kirkland]

> Any ideas/opinions/other choices?

What about a 3-pass system, as opposed to a 2-pass system?

Pass 1: assert user is allowed to update
Pass 2: assert this token is okay
Pass 3: commit

Rather than freezing the chain after the 1st pass, freeze it after the second?

-- 
:-Dustin

p.s. I maintain a PAM module (pam_ecryptfs.so) which is suffering from
this problem on some password changes.