|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Andrew Morgan (morgan
transmeta.com)Date: Mon Nov 26 2001 - 13:01:57 CST
What a mess. The basic problem is that pam_setcred is an interesting
concept without much of a formal definition. (For example, when/how will
a module require credentials be refreshed?)
The original PAM RFC:
http://www.kernel.org/pub/linux/libs/pam/pre/doc/rfc86.0.txt.gz
Contains an explicit example (see "APPENDIX B. SAMPLE PAM APPLICATION")
where it is pretty explicit that the setcred(pamh, PAM_ESTABLISH_CRED)
call happens after the session is opened.
However, as commented here (by Ted in May of this year):
http://www.mailgate.org/linux/linux.redhat.pam/msg01757.html
this doesn't actually make much sense...
Looking through the sources for Linux-PAM, I believe that we presently
advocate the reverse policy from that which rfc86.0 was suggesting.
Indeed, I believe that all of the Linux-PAM sources code and
documentation presently recommend setcred before open_session (this is
from documentation of February this year):
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/doc/pam_modules.sgml.diff?r1=1.3&r2=1.4
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pam/Linux-PAM/doc/pam_appl.sgml.diff?r1=1.3&r2=1.4
What currently confuses me about all this is the relative timing of
these changes. Perhaps I was just cleaning house, or perhaps someone
pointed out the incosistent state of the world at around that time?
Whatever the case, this appears to have been all dealt with as part of
Bug 229775.
Cheers
Andrew
_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]