On Sun, 4 Mar 2001, Nicolas Williams wrote: > We can probably put in #ifdef'ed fixes for this in all modules that > prompt for more than one item at a time. :/ Not pretty... this will certainly be the only way to make modules compatible across all existing PAM implementations, though (regardless of what approach is taken to make the implementations compatible in the future). Incidentally, does anyone have a guide for cross-platform PAM programming, that covers all the minor incompatibilities one's likely to run into when writing modules/apps? I think the question has come up on the mailing list before, but I don't remember if anyone has done any compilation work on it yet. > Another possible fix would be to make a module prompt for one item at a > time. That was something I was already going to make an option in this > module because CDE's dtgreet only handles a prompt at a time anyways > (which means dtlogin has to break-up multi-prompts and, I think, it is > buggy wrt multi-prompts, at least on Solaris 8 BETA_REFRESH [yes, I > need to upgrade]). > I see no reason why it is necessary or better to send these three prompts at > once rather than one after the other: > "Password expired. You must change it now." > "Enter new password" > "Enter it again" > That would be a simple fix, though it will only work as long as there > isn't an absolute need to prompt multiple prompts in one go. In general this is a reasonable workaround, but I can easily see cases where calling the conversation function once versus multiple times would make a difference. Certainly, it will always be (marginally) more efficient to call the conversation function as few times as possible, so all other things being equal it makes sense for pam_krb5 to do as it does now; but there may also be cases where each call to the conversation function is very expensive (cryptographic setup/teardown?), or where a set of messages are interrelated and should therefore be passed together so that the relationship between them is evident. E.g., what if you have a conversation function that tacks headers/footers onto each message set? What if your conversation function displays the messages using a web page? (Not a hypothetical scenario; I have such a conversation function that works quite well with other pam_krb5 implementations.:) So there may not be an /absolute/ need to send multiple prompts in one go, but it's certainly unfortunate if we have to give up this functionality in exchange for portability. Regards, Steve Langasek postmodern programmer
