Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Jan 2002 19:47:55 +0000
From:      Mark Murray <mark@grondar.za>
To:        "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc:        des@freebsd.org, current@freebsd.org
Subject:   Re: Step2, pam_unix just expired pass fix for review 
Message-ID:  <200201201947.g0KJltt32724@grimreaper.grondar.org>
In-Reply-To: <20020120191711.GA23576@nagual.pp.ru> ; from "Andrey A. Chernov" <ache@nagual.pp.ru>  "Sun, 20 Jan 2002 22:17:12 %2B0300."
References:  <20020120191711.GA23576@nagual.pp.ru> 

next in thread | previous in thread | raw e-mail | index | archive | help
> Bug: 
> There is possible when pam_sm_acct_mgmt() called, password is not
> expired, but due to some delay between calls (like network delays for NIS
> passwords), expired at the moment of pam_sm_authenticate() check.

It is not pam_sm_authenticate()'s job to determine such things as expiry.
This is the business of pam_sm_acct_mgmt().

> It may allow user to enter with expired password under some circumstanes 
> when he is not allowed to do it.

Do you mean that at at the very edge of password expiry, the user may
still be able log in (maybe some seconds later)? If so this is not a
credible threat.

> Fix:
> Use traditional Unix check (like found in pre-PAM ftpd.c and login.c) for 
> password expiration at the last moment, i.e. right after checking that it 
> is valid.

This fix is wrong for pam_sm_authenticate(), but valid for pam_sm_acct_mgmt().
pam_sm_acct_mgmt() already has something functionally equivalent.

M

> --- pam_unix.c.bak1	Sun Jan 20 21:42:47 2002
> +++ pam_unix.c	Sun Jan 20 21:58:45 2002
> @@ -152,6 +152,8 @@
>  
>  		retval = strcmp(encrypted, pwd->pw_passwd) == 0 ?
>  		    PAM_SUCCESS : PAM_AUTH_ERR;
> +		if (pwd->pw_expire && time(NULL) >= pwd->pw_expire)
> +			retval = PAM_AUTH_ERR;
>  	}
>  	else {
>  
> -- 
> Andrey A. Chernov
> http://ache.pp.ru/
-- 
o       Mark Murray
\_      FreeBSD Services Limited
O.\_    Warning: this .sig is umop ap!sdn

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201201947.g0KJltt32724>