On Fri, 14 Sep 2001, Luke Howard wrote: > [...] > One thing, however, having written a lot of PAM modules for Darwin, > is that I've replicated the password-changing conversation dance > several times for different modules (NetInfo, AFP, NIS, etc). That's > one thing that should be put in a library, but is tricky because it > requires callbacks to authenticate a user as well as actually > changing their passwords, and different authentication systems handle > password changing policies differently. Yet this, i.e. "pam_sm_chauthtok()", is one place where the gain could be great. Most modules supporting pw-changing ought, I think, to be implementing the "try_first_pass" and "use_first_pass" options: an agreed convention. The corresponding code to work out what information to get from where (stack or user), and under what conditions would be common to such modules, but it is non-trivial (see "pam_cracklib"). This common code would be in a library. At various points it would try to do callbacks into the parent module (e.g. pam_cracklib), perhaps as directed by a lookup table (or similar) supplied by that parent. (Some of these entries might be NULL for some parents.) Assuming that the library idea takes off, this "pam_sm_chauthtok()" stuff would seem to be worth exploring further. -- : David Lee I.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/ South Road : : Durham : : Phone: +44 191 374 2882 U.K. :
