Mark Murray <[EMAIL PROTECTED]> writes:
> > On Sun, Jan 20, 2002 at 19:47:55 +0000, Mark Murray wrote:
> > > Do you mean that at at the very edge of password expiry, the user may
> > > still be able log in (maybe some seconds later)? If so this is not a
> > > credible threat.
> > Yes. Few seconds can be few hours or more in case network is down or
> > something like, this mainly for network passwords like NIS.
> This is still not something that is pam_authenticate()'s business. [...]
I think this is all a misunderstanding (I misunderstood it too at
first). There is no race. First, pam_authenticate() returns
PAM_SUCCESS if the password was correct, regardless of whether it's
expired. Next, pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED if the
password has expired when it is called. Everything works as expected
even if the password expires between the two calls.
Dag-Erling Smorgrav - [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message