pam_chauthok and froozen chain problems
Thorsten Kukuk
kukuk at suse.de
Mon Feb 2 13:33:45 UTC 2009
Hi,
since Linux-PAM 0.75/0.76 we use a froozen chain for
pam_setcred, pam_chauthtok and pam_open_session/pam_close_session.
With pam_setcred and pam_session I have no problems, there it is
correct.
But I got now bug reports because of pam_chauthtok, and I see a
real problem there:
Nearly all modules return always PAM_SUCCESS for PAM_PRELIM_CHECK
if you try to update an password. As result, "requisite" will be
handled as "required" and the control flow will not return to the
application in a failure, but the following module on the stack
will called.
But reverting that change for pam_chauthok means breaking
"sufficient".
I see now several solutions:
1. Ignore the problem and document that "requisite" will not
work as expected in most cases for password changes.
2. Revert that change and document, that PAM_PRELIM_CHECK
after "sufficient" modules will not run, but that the
module still could be called for PAM_CHAUTHTOK.
3. Always run all modules with "PAM_PRELIM_CHECK" and
ignore "sufficient" and "requisite".
Any ideas/opinions/other choices?
Currently I tend to option 3).
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the Pam-list
mailing list