On Sat, 22 Dec 2001, Michael Tokarev wrote: > What you ask will be non-trivial task if at all possible. Strictly > speaking it is not possible, but let's draw a picture first. A pam > module calls a user callback, expecting an answer to be filled up > or an error to be returned. One of return code can be PAM_CONV_AGAIN. > After this return, a module should return PAM_INCOMPLETE to the caller, > and a caller should enshure conversation is ready and call the pam > routine (e.g. pam_autenticate) again. Looks like just what you want. > But there are two problems. > First of all, not all modules are ready to handle PAM_CONV_AGAIN > properly (some of them will return some sort of generic error to the > caller, e.g. PAM_AUTH_ERR). Those are bugs but it is difficult to fix > them. (I looked to pam sources last time about a year ago, so things > might be changed, but I doubt them was). Honestly, I think that PAM modules would better support the event-driven model if there were applications that needed it. It would be a simple matter to roll PAM_CONV_AGAIN support into all of the modules shipped with Linux-PAM -- the changes are small, just time-consuming to apply to all of the modules; and personally, I got a little bored implementing a feature that I'd never seen used in the real world. :) > And second, even if you do what this looks like a way to go, things > will not work. There will be no mapping between old and new prompts > and responses. Even if you'll collect both, there will be no way > to fill up answers to old questions into new questions. Moreover, > there is no guarantee that new prompts will be the same! Currently, > with commonly used modules, you will get the same prompts with the > same sequence next time. But nothing stops to have a module that > will ask another questions. Actually, it's implied that a module which returns PAM_INCOMPLETE is smart enough to save all of its state and re-ask the same set of questions the next time it's called. You're right that it wouldn't be very useful otherwise. I think the PAM_CONV_AGAIN/PAM_INCOMPLETE support found in Linux-PAM is precisely the sort of thing that would address the needs of ssh. Cheers, Steve Langasek postmodern programmer
