I noticied in docs that almost every pam entry point
in module (pam_sm_xxx) have documented list of possible
error codes that it can return. Most modules just
uses something like:
if ((r = pam_set_data(...)) != PAM_SUCCESS)
return r;
to return from that entry point.
Thus, the question -- should that checks/returns
be rewritten to be something like
return PAM_SESSION_ERROR;
instead of
return r;
or should docs be updated to say something like
"this entry can return any PAM_error_code, but
most "significant" codes are:" ?
First case seemed to be too nontrivial.
Also, in case of auth stack:
what should module do with empty username?
I.e. if pam_get_user returned empty string?
Login from util-linux doesn't understand
PAM_INCOMPLETE in this case...
P.S. login from util-linux has just too many
bugs :((
$ login
login: ^D
login: ^D
Segmentation fault (core dumped)
$ _
With this, we should really be _very_ careful with
tidyng up passwords inside pam modules...
