Date: 20 Jan 2002 21:13:33 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: Mark Murray <mark@grondar.za> Cc: "Andrey A. Chernov" <ache@nagual.pp.ru>, current@freebsd.org Subject: Re: Step2, pam_unix just expired pass fix for review Message-ID: <xzpsn903hn6.fsf@flood.ping.uio.no> In-Reply-To: <200201202006.g0KK6Wt32931@grimreaper.grondar.org> References: <20020120195737.GB24138@nagual.pp.ru> <200201202006.g0KK6Wt32931@grimreaper.grondar.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray <mark@grondar.za> writes: > > On Sun, Jan 20, 2002 at 19:47:55 +0000, Mark Murray wrote: > > > Do you mean that at at the very edge of password expiry, the user may > > > still be able log in (maybe some seconds later)? If so this is not a > > > credible threat. > > Yes. Few seconds can be few hours or more in case network is down or > > something like, this mainly for network passwords like NIS. > This is still not something that is pam_authenticate()'s business. [...] I think this is all a misunderstanding (I misunderstood it too at first). There is no race. First, pam_authenticate() returns PAM_SUCCESS if the password was correct, regardless of whether it's expired. Next, pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED if the password has expired when it is called. Everything works as expected even if the password expires between the two calls. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpsn903hn6.fsf>