Chris, On Fri, 20 Jul 2001, Chris Riley wrote: > Is it possible for a module to give the application more information about > an authentication? > I'm using pam_krb5 and I want to be able to distinguish between someone > failing authentication because of a bad password and failing because the > clocks are out of sync. It's not feasible to run something to synchronize > the clocks at this time. But it would be great if PAM could somehow tell > the application how the failure happens. > At the moment pam_krb5 just returns PAM_AUTH_FAIL to PAM. Is there some > way to pass along extra information that could be returned to the > application? Clearly, PAM doesn't have a failure code that corresponds to the Kerberos 'clocks are out of sync' condition. The two other ways available for PAM modules to return status information are PAM_INFO/PAM_ERROR messages sent using the PAM conversation function, and log messages recorded using syslog or an equivalent service. Which you would use depends on who you want to see the information. Attempting to base your system authentication on Kerberos without having synchronized clocks is going to cause no end of problems. Indeed, if you look at the Kerberos documentation you'll find clock synchronization stated as a non-negotiable requirement. Can I ask why it's not feasible for you to run some sort of time synchronization tool on this machine? Regards, Steve Langasek postmodern programmer
