From owner-freebsd-current Sun Jan 20 12:14: 0 2002 Delivered-To: freebsd-current@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id C43A037B429; Sun, 20 Jan 2002 12:13:51 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id g0KKDmP24563; Sun, 20 Jan 2002 23:13:49 +0300 (MSK) (envelope-from ache) Date: Sun, 20 Jan 2002 23:13:45 +0300 From: "Andrey A. Chernov" To: Dag-Erling Smorgrav Cc: markm@freebsd.org, current@freebsd.org Subject: Re: Step2, pam_unix just expired pass fix for review Message-ID: <20020120201344.GD24138@nagual.pp.ru> References: <20020120191711.GA23576@nagual.pp.ru> <20020120195407.GA24138@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.24i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jan 20, 2002 at 21:07:14 +0100, Dag-Erling Smorgrav wrote: > I misread your mail. Pam_sm_authenticate() is not supposed to care > that the password is expired. If it did, it users with expired > passwords would be effectively locked out; they're supposed to get a > chance to change their password. The application is supposed to call > pam_chauthtok() if pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED; see > the sample application in DCE RFC 86.0. Yes, but I mean edge case when password yet not expired at the moment of pam_acct_mgmt() call (i.e. pam_acct_mgmt() not return PAM_AUTHTOK_EXPIRED), but expired at the moment of pam_authenticate() call. There can be big network delay between this two calls. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message