[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [Fwd: Re: Possible bug in PAM pam-0.99.8.1 regarding password changing]
- From: decoder <decoder own-hero net>
- To: Russ Allbery <rra stanford edu>
- Cc: Pluggable Authentication Modules <pam-list redhat com>
- Subject: Re: [Fwd: Re: Possible bug in PAM pam-0.99.8.1 regarding password changing]
- Date: Sun, 14 Oct 2007 23:35:35 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Russ Allbery wrote:
> decoder <decoder own-hero net> writes:
>
>> Basically he says that you should change your module to do the
>> policy check in the first phase (the preliminary check phase)
>
> This is not possible to do in Kerberos. There's no separate API
> call to verify a password without changing it.
>
> Long-standing behavior or not, I still think this is a bug in PAM.
> If I specify that one password change module should not be called
> if another fails, the *reasons* for the failure are not of interest
> to me. Even if it's a network failure at the last step, it should
> still fail the rest of the stack. I don't know why that wouldn't
> be possible.
I definetly agree with you there, any other behavior is just illogical
and not useful either.
I hope the PAM people agree on this and change the behavior.
Best regards,
Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHEoumJQIKXnJyDxURAr1JAJ9PxLs1ZOjVfEF+tmVfX9sezLkeagCfXXf6
Hinsicc9vdr5L17kCFAB9aM=
=gvOr
-----END PGP SIGNATURE-----
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]