OK, the part below seems quite reasonable http://sourceforge.net/bugs/?func=detailbug&bug_id=129027&group_id=6663 Cheers Andrew Nicolas Williams wrote: > Also, the comments in the source indicate that the reason for the > current handling of the PAM_*AUTHTOK items is that the XSSO spec says > that the application shouldn't have access to them. That's one thing, > but to not preserve the tokens across PAM calls is another. > > I think a change could be made such that pam_get_item() uses a flag in > the pam_handle to determine wether it's being called by the application > or by a module and acct accordingly. This flag would be set/unset when > entering/exiting the pam_authenticate(), pam_acct_mgmt(), pam_setcred(), > pam_open_session(), pam_close_session(), pam_chauthtok() and the > converse support function. > > Thus preserving the spec semantics.
