Date: Sun, 20 Jan 2002 20:06:32 +0000 From: Mark Murray <mark@grondar.za> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: des@freebsd.org, current@freebsd.org Subject: Re: Step2, pam_unix just expired pass fix for review Message-ID: <200201202006.g0KK6Wt32931@grimreaper.grondar.org> In-Reply-To: <20020120195737.GB24138@nagual.pp.ru> ; from "Andrey A. Chernov" <ache@nagual.pp.ru> "Sun, 20 Jan 2002 22:57:37 %2B0300." References: <20020120195737.GB24138@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sun, Jan 20, 2002 at 19:47:55 +0000, Mark Murray wrote: > > > > Do you mean that at at the very edge of password expiry, the user may > > still be able log in (maybe some seconds later)? If so this is not a > > credible threat. > > Yes. Few seconds can be few hours or more in case network is down or > something like, this mainly for network passwords like NIS. This is still not something that is pam_authenticate()'s business. If you believe that this is a problem, then the order and time in which these are done inside pam needs to be addressed, not by kluging pam modules. Perhaps the PAM-using applications need to be looked at as well to make sure they don't do anything silly. pam_authenticate() answers the question "does the user have the correct credentials?". pam_acct_mgmt() answers the question "OK - they are who they say they are. Are they allowed in _now_?". M -- o Mark Murray \_ FreeBSD Services Limited O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201202006.g0KK6Wt32931>