From: Thorsten Kukuk (kukuksuse.de)
Date: Mon Feb 02 2009 - 07:33:45 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

since Linux-PAM 0.75/0.76 we use a froozen chain for
pam_setcred, pam_chauthtok and pam_open_session/pam_close_session.

With pam_setcred and pam_session I have no problems, there it is
correct.
But I got now bug reports because of pam_chauthtok, and I see a
real problem there:

Nearly all modules return always PAM_SUCCESS for PAM_PRELIM_CHECK
if you try to update an password. As result, "requisite" will be
handled as "required" and the control flow will not return to the
application in a failure, but the following module on the stack
will called.

But reverting that change for pam_chauthok means breaking
"sufficient".

I see now several solutions:

1. Ignore the problem and document that "requisite" will not
   work as expected in most cases for password changes.

2. Revert that change and document, that PAM_PRELIM_CHECK
   after "sufficient" modules will not run, but that the
   module still could be called for PAM_CHAUTHTOK.

3. Always run all modules with "PAM_PRELIM_CHECK" and
   ignore "sufficient" and "requisite".

Any ideas/opinions/other choices?

Currently I tend to option 3).

  Thorsten

--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)

_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]