Date: Sun, 20 Jan 2002 23:13:45 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Dag-Erling Smorgrav <des@ofug.org> Cc: markm@freebsd.org, current@freebsd.org Subject: Re: Step2, pam_unix just expired pass fix for review Message-ID: <20020120201344.GD24138@nagual.pp.ru> In-Reply-To: <xzpy9is3hxp.fsf@flood.ping.uio.no> References: <20020120191711.GA23576@nagual.pp.ru> <xzplmes4xpm.fsf@flood.ping.uio.no> <20020120195407.GA24138@nagual.pp.ru> <xzpy9is3hxp.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 20, 2002 at 21:07:14 +0100, Dag-Erling Smorgrav wrote: > I misread your mail. Pam_sm_authenticate() is not supposed to care > that the password is expired. If it did, it users with expired > passwords would be effectively locked out; they're supposed to get a > chance to change their password. The application is supposed to call > pam_chauthtok() if pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED; see > the sample application in DCE RFC 86.0. Yes, but I mean edge case when password yet not expired at the moment of pam_acct_mgmt() call (i.e. pam_acct_mgmt() not return PAM_AUTHTOK_EXPIRED), but expired at the moment of pam_authenticate() call. There can be big network delay between this two calls. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020120201344.GD24138>