OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve Langasek (vorlonnetexpress.net)
Date: Sun Mar 04 2001 - 14:12:58 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Sun, 4 Mar 2001, Nicolas Williams wrote:

    > We can probably put in #ifdef'ed fixes for this in all modules that
    > prompt for more than one item at a time.

    :/ Not pretty... this will certainly be the only way to make modules
    compatible across all existing PAM implementations, though (regardless of what
    approach is taken to make the implementations compatible in the future).

    Incidentally, does anyone have a guide for cross-platform PAM programming,
    that covers all the minor incompatibilities one's likely to run into when
    writing modules/apps? I think the question has come up on the mailing list
    before, but I don't remember if anyone has done any compilation work on it
    yet.

    > Another possible fix would be to make a module prompt for one item at a
    > time. That was something I was already going to make an option in this
    > module because CDE's dtgreet only handles a prompt at a time anyways
    > (which means dtlogin has to break-up multi-prompts and, I think, it is
    > buggy wrt multi-prompts, at least on Solaris 8 BETA_REFRESH [yes, I
    > need to upgrade]).

    > I see no reason why it is necessary or better to send these three prompts at
    > once rather than one after the other:

    > "Password expired. You must change it now."
    > "Enter new password"
    > "Enter it again"

    > That would be a simple fix, though it will only work as long as there
    > isn't an absolute need to prompt multiple prompts in one go.

    In general this is a reasonable workaround, but I can easily see cases where
    calling the conversation function once versus multiple times would make a
    difference. Certainly, it will always be (marginally) more efficient to call
    the conversation function as few times as possible, so all other things being
    equal it makes sense for pam_krb5 to do as it does now; but there may also be
    cases where each call to the conversation function is very expensive
    (cryptographic setup/teardown?), or where a set of messages are interrelated
    and should therefore be passed together so that the relationship between them
    is evident. E.g., what if you have a conversation function that tacks
    headers/footers onto each message set? What if your conversation function
    displays the messages using a web page? (Not a hypothetical scenario; I have
    such a conversation function that works quite well with other pam_krb5
    implementations.:)

    So there may not be an /absolute/ need to send multiple prompts in one go, but
    it's certainly unfortunate if we have to give up this functionality in
    exchange for portability.

    Regards,
    Steve Langasek
    postmodern programmer

    _______________________________________________
    Pam-list mailing list
    Pam-listredhat.com
    https://listman.redhat.com/mailman/listinfo/pam-list