On Fri, Aug 18, 2000 at 04:36:34PM -0400, Nicolas Williams wrote: > On Fri, Aug 18, 2000 at 04:09:48PM -0400, Nalin Dahyabhai wrote: > > You can't pam_end() before the shell starts, because you have to call > > pam_setcred(PAM_DELETE_CREDS) and pam_close_session() before you do > > that. For this to work, login forks, handles the last two steps, and > > the parent takes care of a proper PAM shutdown when its child exits. > > Hmmm. Well, that's not how Solaris 2.6 does it. > > There seems to be an assumption that you can call pam_end() without > calling pam_close_session() and that later you can call pam_start() > again, use pam_set_item to set the relevant items (user, ruser, rhost, > tty) and then call pam_close_session() and pam_end(). In fact, telnetd et. al. on Solaris only set the PAM_TTY and PAM_RHOST items before calling pam_close_session(). > I think this is fine, provided that PAM, or, rather, the various PAM > modules can retrieve the necessary state given just those items. > > So, on Solaris, pam_close_session() is called by telnetd and friends, > not by /bin/login. I kind of like this ability to use those items to retrieve state and close the session later. As long as it works... > > Nalin > Nico --
