> On Sun, Jan 20, 2002 at 19:47:55 +0000, Mark Murray wrote: > > > > Do you mean that at at the very edge of password expiry, the user may > > still be able log in (maybe some seconds later)? If so this is not a > > credible threat. > > Yes. Few seconds can be few hours or more in case network is down or > something like, this mainly for network passwords like NIS.
This is still not something that is pam_authenticate()'s business. If you believe that this is a problem, then the order and time in which these are done inside pam needs to be addressed, not by kluging pam modules. Perhaps the PAM-using applications need to be looked at as well to make sure they don't do anything silly. pam_authenticate() answers the question "does the user have the correct credentials?". pam_acct_mgmt() answers the question "OK - they are who they say they are. Are they allowed in _now_?". M -- o Mark Murray \_ FreeBSD Services Limited O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
