Bug:
There is possible when pam_sm_acct_mgmt() called, password is not
expired, but due to some delay between calls (like network delays for NIS
passwords), expired at the moment of pam_sm_authenticate() check.
It may allow user to enter with expired password under some circumstanes
when he is
Bug:
There is possible when pam_sm_acct_mgmt() called, password is not
expired, but due to some delay between calls (like network delays for NIS
passwords), expired at the moment of pam_sm_authenticate() check.
It is not pam_sm_authenticate()'s job to determine such things as expiry.
This
On Sun, Jan 20, 2002 at 20:41:09 +0100, Dag-Erling Smorgrav wrote:
pam_sm_acct_mgmt() is allowed to return PAM_AUTHTOK_EXPIRED (which is
a better return value than PAM_AUTH_ERR for this case). Other than
that, I have no objections to your patch.
This is fix for pam_sm_authenticate(), not
On Sun, Jan 20, 2002 at 19:47:55 +, Mark Murray wrote:
Do you mean that at at the very edge of password expiry, the user may
still be able log in (maybe some seconds later)? If so this is not a
credible threat.
Yes. Few seconds can be few hours or more in case network is down or
Mark Murray [EMAIL PROTECTED] writes:
Bug:
There is possible when pam_sm_acct_mgmt() called, password is not
expired, but due to some delay between calls (like network delays for NIS
passwords), expired at the moment of pam_sm_authenticate() check.
It is not pam_sm_authenticate()'s job
Andrey A. Chernov [EMAIL PROTECTED] writes:
On Sun, Jan 20, 2002 at 20:41:09 +0100, Dag-Erling Smorgrav wrote:
pam_sm_acct_mgmt() is allowed to return PAM_AUTHTOK_EXPIRED (which is
a better return value than PAM_AUTH_ERR for this case). Other than
that, I have no objections to your patch.
On Sun, Jan 20, 2002 at 19:47:55 +, Mark Murray wrote:
Do you mean that at at the very edge of password expiry, the user may
still be able log in (maybe some seconds later)? If so this is not a
credible threat.
Yes. Few seconds can be few hours or more in case network is down or
Mark Murray [EMAIL PROTECTED] writes:
On Sun, Jan 20, 2002 at 19:47:55 +, Mark Murray wrote:
Do you mean that at at the very edge of password expiry, the user may
still be able log in (maybe some seconds later)? If so this is not a
credible threat.
Yes. Few seconds can be few
On Sun, Jan 20, 2002 at 20:06:32 +, Mark Murray wrote:
pam_authenticate() answers the question does the user have the correct
credentials?. pam_acct_mgmt() answers the question OK - they are who
they say they are. Are they allowed in _now_?.
Well, I tend to agree, Step2 is withdrawed.