diff --git a/ChangeLog b/ChangeLog
index 0098d65c..e2c1d6fc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-04-19  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/login.c: Also check if the authentication token of the
+	user has to be updated in case the user was already authenticated.
+
 2009-04-19  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* src/login.c: fflg is already restricted to root. Move
diff --git a/NEWS b/NEWS
index 39aa7f0c..49525c54 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ shadow-4.1.3.1 -> shadow-4.1.3.2					UNRELEASED
 - login
   * Do not trust the current utmp entry's ut_line to set PAM_TTY. This could
     lead to DOS attacks.
+  * (PAM) Even if the user was already authenticated (-f flag), ask the
+    user to update his authentication token if needed.
 
 shadow-4.1.3 -> shadow-4.1.3.1						2009-04-15
 
diff --git a/src/login.c b/src/login.c
index 4d60bc3d..30f6aab2 100644
--- a/src/login.c
+++ b/src/login.c
@@ -811,18 +811,15 @@ int main (int argc, char **argv)
 
 		/* We don't get here unless they were authenticated above */
 		alarm (0);
-		retcode = pam_acct_mgmt (pamh, 0);
-
-		if (retcode == PAM_NEW_AUTHTOK_REQD) {
-			retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-		}
-
-		PAM_FAIL_CHECK;
-	} else (fflg) {
-		retcode = pam_acct_mgmt (pamh, 0);
-		PAM_FAIL_CHECK;
 	}
 
+	/* Check the account validity */
+	retcode = pam_acct_mgmt (pamh, 0);
+	if (retcode == PAM_NEW_AUTHTOK_REQD) {
+		retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+	}
+	PAM_FAIL_CHECK;
+
 	/* Grab the user information out of the password file for future usage
 	   First get the username that we are actually using, though.
 	 */