> On Sun, Jan 20, 2002 at 19:47:55 +0000, Mark Murray wrote:
> > 
> > Do you mean that at at the very edge of password expiry, the user may
> > still be able log in (maybe some seconds later)? If so this is not a
> > credible threat.
> Yes. Few seconds can be few hours or more in case network is down or
> something like, this mainly for network passwords like NIS.

This is still not something that is pam_authenticate()'s business. If
you believe that this is a problem, then the order and time in which
these are done inside pam needs to be addressed, not by kluging 
pam modules. Perhaps the PAM-using applications need to be looked at
as well to make sure they don't do anything silly.

pam_authenticate() answers the question "does the user have the correct
credentials?". pam_acct_mgmt() answers the question "OK - they are who
they say they are. Are they allowed in _now_?".

o       Mark Murray
\_      FreeBSD Services Limited
O.\_    Warning: this .sig is umop ap!sdn

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to