From owner-freebsd-hackers  Tue Feb 18 06:56:58 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id GAA07966
          for hackers-outgoing; Tue, 18 Feb 1997 06:56:58 -0800 (PST)
Received: from po9.andrew.cmu.edu (PO9.ANDREW.CMU.EDU [128.2.10.109])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA07958
          for <freebsd-hackers@freefall.FreeBSD.org>; Tue, 18 Feb 1997 06:56:54 -0800 (PST)
Received: (from postman@localhost) by po9.andrew.cmu.edu (8.8.2/8.8.2) id JAA04832 for freebsd-hackers@freefall.FreeBSD.org; Tue, 18 Feb 1997 09:56:42 -0500
Received: via switchmail; Tue, 18 Feb 1997 09:56:40 -0500 (EST)
Received: from apriori.cc.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/service/mailqs/q002/QF.Un2Q=Gu00YVpQ0O0ou>;
          Tue, 18 Feb 1997 09:55:15 -0500 (EST)
Received: from apriori.cc.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/usr4/rnw/.Outgoing/QF.0n2Q=Fu00YVp54eOQt>;
          Tue, 18 Feb 1997 09:55:13 -0500 (EST)
Received: from mms.4.60.Jun.27.1996.03.05.56.sun4.41.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.apriori.cc.cmu.edu.sun4m.412
          via MS.5.6.apriori.cc.cmu.edu.sun4_41;
          Tue, 18 Feb 1997 09:55:11 -0500 (EST)
Message-ID: <Yn2Q=Dm00YVpR4eOF_@andrew.cmu.edu>
Date: Tue, 18 Feb 1997 09:55:11 -0500 (EST)
From: Robert N Watson <rnw+@andrew.cmu.edu>
To: freebsd-hackers@freefall.FreeBSD.org
Subject: Password expire + account expire fields in pwdb
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


These are very useful fields -- but it would be nice if these blocked
login for all locations :).  Users can still ssh in long after the
account has expired, etc.  Would it be possible to implement a pluggable
"authenticate" function somewhere?  It would take a username, encrypted
password string (or unencrypted?), and then authenticate, either
returning some true value, or a pointer to a string indicating why
authentication failed.  This could be "Incorrect login", or "Account
Expired", etc.  This would require some changes in ports of
applications, but would allow for a more consistent approach to login
prevention.  Presumably it could be patched into popper, ssh, samba,
etc.  Either that, or scrap the expiration fields -- very few of my
users log in without ssh anymore, making the fields a waste of space. 
:)  Not being able to force password changes on ssh in a consistent way
is not ideal in our environment.  Doing this might coincide nicely with
installing pluggable authentication for encryption/secure cards, etc.

Robert