> Bug: > There is possible when pam_sm_acct_mgmt() called, password is not > expired, but due to some delay between calls (like network delays for NIS > passwords), expired at the moment of pam_sm_authenticate() check.
It is not pam_sm_authenticate()'s job to determine such things as expiry. This is the business of pam_sm_acct_mgmt(). > It may allow user to enter with expired password under some circumstanes > when he is not allowed to do it. Do you mean that at at the very edge of password expiry, the user may still be able log in (maybe some seconds later)? If so this is not a credible threat. > Fix: > Use traditional Unix check (like found in pre-PAM ftpd.c and login.c) for > password expiration at the last moment, i.e. right after checking that it > is valid. This fix is wrong for pam_sm_authenticate(), but valid for pam_sm_acct_mgmt(). pam_sm_acct_mgmt() already has something functionally equivalent. M > --- pam_unix.c.bak1 Sun Jan 20 21:42:47 2002 > +++ pam_unix.c Sun Jan 20 21:58:45 2002 > @@ -152,6 +152,8 @@ > > retval = strcmp(encrypted, pwd->pw_passwd) == 0 ? > PAM_SUCCESS : PAM_AUTH_ERR; > + if (pwd->pw_expire && time(NULL) >= pwd->pw_expire) > + retval = PAM_AUTH_ERR; > } > else { > > -- > Andrey A. Chernov > http://ache.pp.ru/ -- o Mark Murray \_ FreeBSD Services Limited O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message