OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: PAM session vs. auth
From: Steve Langasek (vorlonnetexpress.net)
Date: Mon Oct 09 2000 - 15:12:00 CDT


On 9 Oct 2000, Dustin Puryear wrote:

> I suppose by using the acct stack I get past the authentication issue
> entirely. However, can I assume that all services will actually use the
> acct stack? I know that at a minimum they will be using the auth stack,
> and that's why I went that route. It seems to me that the acct stack
> presents the same problem as the session stack--not everyone will use it.

While opening and closing a 'session' does not make sense for all
applications, it always makes sense for a PAMified application to call
pam_acct_mgmt(), as this is the module that does account authorization checks.
I've never seen an application that called pam_authenticate() but not
pam_acct_mgmt(), and I would be inclined to argue that an application that did
so was not properly PAMified, as it is this second function which checks for
things such as expired passwords.

Steve Langasek
postmodern programmer

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list