"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > Bug: > There is possible when pam_sm_acct_mgmt() called, password is not > expired, but due to some delay between calls (like network delays for NIS > passwords), expired at the moment of pam_sm_authenticate() check. > > It may allow user to enter with expired password under some circumstanes > when he is not allowed to do it.
I don't think this is much of an issue (at most, it will allow a user to log on up to a few seconds after her password expires), but I see your point. > Fix: > Use traditional Unix check (like found in pre-PAM ftpd.c and login.c) for > password expiration at the last moment, i.e. right after checking that it > is valid. pam_sm_acct_mgmt() is allowed to return PAM_AUTHTOK_EXPIRED (which is a better return value than PAM_AUTH_ERR for this case). Other than that, I have no objections to your patch. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message