Linux-PAM-0.75 Kerberos 1.2.2 Frank Cusack's pam_krb5 module I have a question regarding proper behaviour of pam_chauthtok and PAM_PRELIM_CHECK my service config looks like the following: #/etc/pam.d/passwd passwd requisite pam_krb5.so passwd required pam_shadow_update.so what's happening is this, i run /usr/bin/passwd, i key in an invalid password, pam_krb5 does not update my password, but any stacked modules are still run even though i've set pam_krb5 to requisite (exit on failure, right?) Now, I think I understand what's going on, so here goes, correct me if my understanding of the calling order is wrong... pam_chauthok is called initially with flags|PAM_PRELIM_CHECK (presumably this is to allow the module a chance to verify everything before actually doing the commit) 1. Are all modules called with PAM_PRELIM then called a second time with PAM_UPDATE? 2. What should I return if my modules doesn't want to worry about PAM_PRELIM? 3. Is (2) even valid? or am I not following PAM's rules? pam_chauthtok is then called a second time with flags|PAM_UPDATE_AUTHTOK looking through pam_dispatch.c [~ line 285] it seems that when pam_chauthtok is called with PAM_UPDATE_AUTHTOK set, use_cached_chain gets set to 1 then, in _pam_dispatch_aux() [~ line 102] the cached return value gets used instead of the actual return code (from the second call) ... is this really the desired behaviour? are we assuming that the second call cannot fail because the prelim check didn't? this seems wrong to me... BTW, Frank's module doesn't implement PRELIM, so I'm trying to figure out the best way to fix this with the least amount of work...if the answer is that i'll need to implement PRELIM checking, so be it... thanks, -b
