On Sun, Mar 04, 2001 at 02:12:58PM -0600, Steve Langasek wrote: > On Sun, 4 Mar 2001, Nicolas Williams wrote: > > Incidentally, does anyone have a guide for cross-platform PAM programming, > that covers all the minor incompatibilities one's likely to run into when > writing modules/apps? I think the question has come up on the mailing list > before, but I don't remember if anyone has done any compilation work on it > yet. http://www.dementia.org/~shadow/pam.html > > That would be a simple fix, though it will only work as long as there > > isn't an absolute need to prompt multiple prompts in one go. > > In general this is a reasonable workaround, but I can easily see cases where > calling the conversation function once versus multiple times would make a > difference. Certainly, it will always be (marginally) more efficient to call > the conversation function as few times as possible, so all other things being > equal it makes sense for pam_krb5 to do as it does now; but there may also be > cases where each call to the conversation function is very expensive > (cryptographic setup/teardown?), or where a set of messages are interrelated > and should therefore be passed together so that the relationship between them > is evident. E.g., what if you have a conversation function that tacks > headers/footers onto each message set? What if your conversation function > displays the messages using a web page? (Not a hypothetical scenario; I have > such a conversation function that works quite well with other pam_krb5 > implementations.:) Ah, but do those modules use krb5_get_init_creds_password()? Or do they use the krb5_get_in_tkt_with_password() API? The difference is in how to do password aging. The former does all the work, the latter merely returns an error when the password is expired (unless the target principal name is a password-changing service). > So there may not be an /absolute/ need to send multiple prompts in one go, but > it's certainly unfortunate if we have to give up this functionality in > exchange for portability. Agreed. For now I'll modify my version of this module to support an option to prompt one prompt at a time. > Regards, > Steve Langasek > postmodern programmer > Nico --
