Nicolas Williams wrote: > > There are other ways to do this, notably with an entry of this form at > > the top of the authentication stack: > > > > auth optional pam_foo.so no-op > > auth <stuff as before> > > Can a module appear multiple times in the stack? Yes. > And then, how can a module distinguish the second call to its > pam_sm_authenticate() from the first call resulting from a second call > to pam_authenticate() by the app?! Well, the module arguments need not be the same (no-op in the example above). The module itself needs to implement the necessary logic. It can use data items to store dynamic state - which are pamh specific. There is already a PAM_MAXTRIES module return code, so its not unheard of for modules to keep tabs on the number of times they have been invoked. > Solaris' /bin/login, for example, calls pam_authenticate() again, with > the same PAM handle, if the first call fails. As does the SimplePAMApps version. > There is a complexity issue though. I'll drop this now. :) :) I think this is why folk have not made much use of what is there.. Cheers Andrew