Mark Murray <[EMAIL PROTECTED]> writes:
> > On Sun, Jan 20, 2002 at 19:47:55 +0000, Mark Murray wrote:
> > > Do you mean that at at the very edge of password expiry, the user may
> > > still be able log in (maybe some seconds later)? If so this is not a
> > > credible threat.
> > Yes. Few seconds can be few hours or more in case network is down or
> > something like, this mainly for network passwords like NIS.
> This is still not something that is pam_authenticate()'s business. [...]

I think this is all a misunderstanding (I misunderstood it too at
first).  There is no race.  First, pam_authenticate() returns
PAM_SUCCESS if the password was correct, regardless of whether it's
expired.  Next, pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED if the
password has expired when it is called.  Everything works as expected
even if the password expires between the two calls.

Dag-Erling Smorgrav - [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to