There is possible when pam_sm_acct_mgmt() called, password is not
expired, but due to some delay between calls (like network delays for NIS
passwords), expired at the moment of pam_sm_authenticate() check.

It may allow user to enter with expired password under some circumstanes 
when he is not allowed to do it.

Use traditional Unix check (like found in pre-PAM ftpd.c and login.c) for 
password expiration at the last moment, i.e. right after checking that it 
is valid.

--- pam_unix.c.bak1     Sun Jan 20 21:42:47 2002
+++ pam_unix.c  Sun Jan 20 21:58:45 2002
@@ -152,6 +152,8 @@
                retval = strcmp(encrypted, pwd->pw_passwd) == 0 ?
                    PAM_SUCCESS : PAM_AUTH_ERR;
+               if (pwd->pw_expire && time(NULL) >= pwd->pw_expire)
+                       retval = PAM_AUTH_ERR;
        else {
Andrey A. Chernov

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to