Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Jan 2002 22:17:12 +0300
From:      "Andrey A. Chernov" <ache@nagual.pp.ru>
To:        markm@freebsd.org, des@freebsd.org, current@freebsd.org
Subject:   Step2, pam_unix just expired pass fix for review
Message-ID:  <20020120191711.GA23576@nagual.pp.ru>

next in thread | raw e-mail | index | archive | help
Bug: 
There is possible when pam_sm_acct_mgmt() called, password is not
expired, but due to some delay between calls (like network delays for NIS
passwords), expired at the moment of pam_sm_authenticate() check.

It may allow user to enter with expired password under some circumstanes 
when he is not allowed to do it.

Fix:
Use traditional Unix check (like found in pre-PAM ftpd.c and login.c) for 
password expiration at the last moment, i.e. right after checking that it 
is valid.


--- pam_unix.c.bak1	Sun Jan 20 21:42:47 2002
+++ pam_unix.c	Sun Jan 20 21:58:45 2002
@@ -152,6 +152,8 @@
 
 		retval = strcmp(encrypted, pwd->pw_passwd) == 0 ?
 		    PAM_SUCCESS : PAM_AUTH_ERR;
+		if (pwd->pw_expire && time(NULL) >= pwd->pw_expire)
+			retval = PAM_AUTH_ERR;
 	}
 	else {
 
-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020120191711.GA23576>