[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: module utility library [Was: Re: ... pam limits drops privileges]



On Fri, 14 Sep 2001, Luke Howard wrote:

> [...]
> One thing, however, having written a lot of PAM modules for Darwin,
> is that I've replicated the password-changing conversation dance
> several times for different modules (NetInfo, AFP, NIS, etc). That's
> one thing that should be put in a library, but is tricky because it
> requires callbacks to authenticate a user as well as actually 
> changing their passwords, and different authentication systems handle
> password changing policies differently.

Yet this, i.e. "pam_sm_chauthtok()", is one place where the gain could be
great. 

Most modules supporting pw-changing ought, I think, to be implementing the
"try_first_pass" and "use_first_pass" options: an agreed convention.  The
corresponding code to work out what information to get from where (stack
or user), and under what conditions would be common to such modules, but
it is non-trivial (see "pam_cracklib").

This common code would be in a library.  At various points it would try to
do callbacks into the parent module (e.g. pam_cracklib), perhaps as
directed by a lookup table (or similar) supplied by that parent.  (Some of
these entries might be NULL for some parents.)

Assuming that the library idea takes off, this "pam_sm_chauthtok()"  stuff
would seem to be worth exploring further.



-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []