OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Thorsten Kukuk (kukuksuse.de)
Date: Wed Apr 17 2002 - 00:42:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Tue, Apr 16, Andrew Morgan wrote:

    > Thorsten Kukuk wrote:
    > > > In the grand scheme of things, PAM was supposed to remove the need for
    > > > applications to know about passwords at all. Not allowing apps to
    > > > get/set them from PAM was a design decision - all this info was supposed
    > > > to be something that a module managed.
    > >
    > > Yes, but the problem is, that the functions to change the password
    > > in a pam module can also not access the token from the authentication
    > > function.
    >
    > This is a self-inflicted problem.
    >
    > If the module used a PAM_AUTHTOK of some sort to authenticate the user,
    > then it (pam_sm_authenticate()) has the opportunity to cache this value
    > with pam_set_data(). In this way, it's pam_sm_chauthtok() function can
    > check for the existence of said data (pam_get_data()) when it is time
    > for the user to select a new one.
    >
    > The problem then is that pam_unix doesn't support this. Hacking around
    > this in the application is pretty ugly. Why not simply add this
    > functionality to the pam_unix module? (And make it optional based on a
    > module argument or something.)

    I wish to add it to the pam module, not to the appciation. I only hate
    to store passwords with pam_set_data() for security reasons and the
    initial question was, if there is already something else.

    But it seems I have to implement something with pam_set_data for
    pam_unix2.

      Thorsten

    -- 
    Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuksuse.de
    SuSE Linux AG        Deutschherrenstr. 15-19       D-90429 Nuernberg
    --------------------------------------------------------------------    
    Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B
    

    _______________________________________________ Pam-list mailing list Pam-listredhat.com https://listman.redhat.com/mailman/listinfo/pam-list