Solar Designer wrote: [] > This is acceptable if we also do one of: > > 1. Re-check the old password when doing the UPDATE, at least in the > case when PAM_PRELIM_CHECK wasn't done. Exactly what I currently implementing, just now. :) > 2. Document it more explicitly that PAM_PRELIM_CHECK is now security > critical (it should always be called, and its result should never be > ignored) in case of other implementations of PAM that may be using our > set of modules. Not as serious if module "conforms" to 1., but still yes. > I just don't like adding a security meaning to a non-security feature. In the other hand, this feature just almost unused without this treatment. It is very unlikely that you can do something useful in PAM_PRELIM_CHECK -- if some system files are missing, you will fail auth check in most cases, or at least it is "usual" administrator's mistake with that we can't deal. Even in case with network connection -- while we will be sticking asking old/new passwords, network may be just shut down. Locking there also not so useful, as you can lock for a unnecessary significant amount of time (again, while prompting user and while he chooses good password...). Regards, Michael.
