Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Thorsten Kukuk (kukuksuse.de)
Date: Mon Feb 02 2009 - 07:33:45 CST
since Linux-PAM 0.75/0.76 we use a froozen chain for
pam_setcred, pam_chauthtok and pam_open_session/pam_close_session.
With pam_setcred and pam_session I have no problems, there it is
But I got now bug reports because of pam_chauthtok, and I see a
real problem there:
Nearly all modules return always PAM_SUCCESS for PAM_PRELIM_CHECK
if you try to update an password. As result, "requisite" will be
handled as "required" and the control flow will not return to the
application in a failure, but the following module on the stack
But reverting that change for pam_chauthok means breaking
I see now several solutions:
1. Ignore the problem and document that "requisite" will not
work as expected in most cases for password changes.
2. Revert that change and document, that PAM_PRELIM_CHECK
after "sufficient" modules will not run, but that the
module still could be called for PAM_CHAUTHTOK.
3. Always run all modules with "PAM_PRELIM_CHECK" and
ignore "sufficient" and "requisite".
Any ideas/opinions/other choices?
Currently I tend to option 3).
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
Pam-list mailing list