Date: 20 Jan 2002 20:41:09 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: markm@freebsd.org, current@freebsd.org Subject: Re: Step2, pam_unix just expired pass fix for review Message-ID: <xzplmes4xpm.fsf@flood.ping.uio.no> In-Reply-To: <20020120191711.GA23576@nagual.pp.ru> References: <20020120191711.GA23576@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
"Andrey A. Chernov" <ache@nagual.pp.ru> writes: > Bug: > There is possible when pam_sm_acct_mgmt() called, password is not > expired, but due to some delay between calls (like network delays for NIS > passwords), expired at the moment of pam_sm_authenticate() check. > > It may allow user to enter with expired password under some circumstanes > when he is not allowed to do it. I don't think this is much of an issue (at most, it will allow a user to log on up to a few seconds after her password expires), but I see your point. > Fix: > Use traditional Unix check (like found in pre-PAM ftpd.c and login.c) for > password expiration at the last moment, i.e. right after checking that it > is valid. pam_sm_acct_mgmt() is allowed to return PAM_AUTHTOK_EXPIRED (which is a better return value than PAM_AUTH_ERR for this case). Other than that, I have no objections to your patch. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzplmes4xpm.fsf>