On Fri, Sep 11, 2015 at 7:51 AM, Jorj Bauer <j...@isc.upenn.edu> wrote:
> A better (cleaner) solution might be to rename your primary factor to, for > example, UMICH-PREAUTH, and then have the user factor check that the > password's not expired and that the PREAUTH factor is fulfilled before it > issues your old primary factor. I think I get the desired behavior if the expiry factor script exits with return code 2 (COSIGN_CGI_PASSWORD_EXPIRED) when the account is expired, instead of issuing the factor. What would you think about an additional argument to "factor" that would require the factor be evaluated every time? Maybe invoking the reauth mechanism? It's always kind of bugged me that one token code would unlock everything that needed a token code for the entire duration of a cosign session.. Liam
------------------------------------------------------------------------------
_______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
