"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> Bug: 
> There is possible when pam_sm_acct_mgmt() called, password is not
> expired, but due to some delay between calls (like network delays for NIS
> passwords), expired at the moment of pam_sm_authenticate() check.
> It may allow user to enter with expired password under some circumstanes 
> when he is not allowed to do it.

I don't think this is much of an issue (at most, it will allow a user
to log on up to a few seconds after her password expires), but I see
your point.

> Fix:
> Use traditional Unix check (like found in pre-PAM ftpd.c and login.c) for 
> password expiration at the last moment, i.e. right after checking that it 
> is valid.

pam_sm_acct_mgmt() is allowed to return PAM_AUTHTOK_EXPIRED (which is
a better return value than PAM_AUTH_ERR for this case).  Other than
that, I have no objections to your patch.

Dag-Erling Smorgrav - [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to