Re: Why should setcred be called after session open?

[Andrew Morgan <morgan transmeta com>]

Nicolas Williams wrote:
> > There are other ways to do this, notably with an entry of this form at
> > the top of the authentication stack:
> >
> >   auth optional pam_foo.so no-op
> >   auth <stuff as before>
> 
> Can a module appear multiple times in the stack?

Yes.
 
> And then, how can a module distinguish the second call to its
> pam_sm_authenticate() from the first call resulting from a second call
> to pam_authenticate() by the app?!

Well, the module arguments need not be the same (no-op in the example
above). The module itself needs to implement the necessary logic. It can
use data items to store dynamic state - which are pamh specific. There
is already a PAM_MAXTRIES module return code, so its not unheard of for
modules to keep tabs on the number of times they have been invoked.

> Solaris' /bin/login, for example, calls pam_authenticate() again, with
> the same PAM handle, if the first call fails.

As does the SimplePAMApps version.

> There is a complexity issue though. I'll drop this now. :) :)

I think this is why folk have not made much use of what is there..

Cheers

Andrew