FTP (Re: Source code for Pam'd applications)

[Pavel Kankovsky <peak kerberos troja mff cuni cz>]

On Thu, 4 Feb 1999, Alan DeKok wrote:

>   Then they should be able to tell PAM what they can, and cannot, do.
> How can you make security decisions if you don't know which security
> policy is supported in your applications?

I'll document the behaviour and everything will be ok? :)

>   This could be partially solved by having the application return a
> new error: PAM_METHOD_UNSUPPORTED.  That would at least have the
> benefit that the module would get some information about what was
> happening, instead of having it's PAM_TEXT_INFO messages being dropped
> into a black hole.

PAM_TEXT_INFO is not the only problem.

>   A security system which fails without returning an error is
> seriously broken, and untrustworthy.

I always welcome constructive criticism. :)

Blackholing info messages is probably a suboptimal idea. There is an
alternative solution: one could save them to a buffer and print them out
together with the final result (hoping the clients are able to eat
multiline responses). Another approach would be to use PAM_SILENT.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!"