Ok. Change was on HEAD (5.1).
http://cvs.openacs.org/cvs/openacs-4/packages/acs-subsite/lib/login.tcl?r1=1.20&r2=1.21
if { $expiration_time < 30 } {
# If expiration_time is less than 30 seconds, it's practically impossible to login
# and you will have completely hosed login on your entire site
set expiration_time 30
}
This bug has been there since the beginning of times.
/Lars