Date: Tue, 18 Feb 1997 09:55:11 -0500 (EST) From: Robert N Watson <rnw+@andrew.cmu.edu> To: freebsd-hackers@freefall.FreeBSD.org Subject: Password expire + account expire fields in pwdb Message-ID: <Yn2Q=Dm00YVpR4eOF_@andrew.cmu.edu>
next in thread | raw e-mail | index | archive | help
These are very useful fields -- but it would be nice if these blocked login for all locations :). Users can still ssh in long after the account has expired, etc. Would it be possible to implement a pluggable "authenticate" function somewhere? It would take a username, encrypted password string (or unencrypted?), and then authenticate, either returning some true value, or a pointer to a string indicating why authentication failed. This could be "Incorrect login", or "Account Expired", etc. This would require some changes in ports of applications, but would allow for a more consistent approach to login prevention. Presumably it could be patched into popper, ssh, samba, etc. Either that, or scrap the expiration fields -- very few of my users log in without ssh anymore, making the fields a waste of space. :) Not being able to force password changes on ssh in a consistent way is not ideal in our environment. Doing this might coincide nicely with installing pluggable authentication for encryption/secure cards, etc. Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Yn2Q=Dm00YVpR4eOF_>