Mark Murray <[EMAIL PROTECTED]> writes: > > On Sun, Jan 20, 2002 at 19:47:55 +0000, Mark Murray wrote: > > > Do you mean that at at the very edge of password expiry, the user may > > > still be able log in (maybe some seconds later)? If so this is not a > > > credible threat. > > Yes. Few seconds can be few hours or more in case network is down or > > something like, this mainly for network passwords like NIS. > This is still not something that is pam_authenticate()'s business. [...]
I think this is all a misunderstanding (I misunderstood it too at first). There is no race. First, pam_authenticate() returns PAM_SUCCESS if the password was correct, regardless of whether it's expired. Next, pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED if the password has expired when it is called. Everything works as expected even if the password expires between the two calls. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
