Date: Wed, 8 May 1996 10:58:21 -0400 (EDT) From: Keith Mitchell <kmitch@phantasma.bevc.blacksburg.va.us> To: hackers@freebsd.org Subject: Security hole(??) in password expiration Message-ID: <199605081458.KAA01204@phantasma.bevc.blacksburg.va.us>
next in thread | raw e-mail | index | archive | help
If a user tries to login with an expired password, login calls passwd to get them to change their password. If they just hit enter at the new password prompt, then they can still get in. Their expired flag on their password remains in effect, but they can "get arround" password expiration in this manner. I (personally) would like to see it close the connection if this happens (or at least keep prompting them). Is this feasable? BTW this is in 2.1R/stable/current.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605081458.KAA01204>