Re: Old Authtok when changing passwords

[Thorsten Kukuk <kukuk suse de>]

On Tue, Apr 16, Andrew Morgan wrote:

> >  - Why not allow the app to save the authtok? After all it has done the
> >    prompting, so it oissesse the authtoks, just not in a convenient way
> 
> In the grand scheme of things, PAM was supposed to remove the need for
> applications to know about passwords at all. Not allowing apps to
> get/set them from PAM was a design decision - all this info was supposed
> to be something that a module managed.

Yes, but the problem is, that the functions to change the password
in a pam module can also not access the token from the authentication
function.
 
> Reality is that some applications have very bad legacy problems -
> authentication hardwired into their communication protocol etc., but
> login is not one of them.

This is right, but login allows changing the password, but the PAM
module cannot access the already entered auth token.

> >  - Why not allow pam_authenticate() to return PAM_NEWAUTHOTK_REQD? This
> >    can't be changed backwards compatibly now without also adding a new
> >    API by which an app may indicate to PAM which version of PAM it
> >    supports.
> 
> I guess its not clear to me why the existing account management stuff
> isn't good enough for this?

Because you cannot access the already entered old token and the user
has to type it twice?

  Thorsten

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Deutschherrenstr. 15-19       D-90429 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B