On Tue, Apr 16, Andrew Morgan wrote: > > - Why not allow the app to save the authtok? After all it has done the > > prompting, so it oissesse the authtoks, just not in a convenient way > > In the grand scheme of things, PAM was supposed to remove the need for > applications to know about passwords at all. Not allowing apps to > get/set them from PAM was a design decision - all this info was supposed > to be something that a module managed. Yes, but the problem is, that the functions to change the password in a pam module can also not access the token from the authentication function. > Reality is that some applications have very bad legacy problems - > authentication hardwired into their communication protocol etc., but > login is not one of them. This is right, but login allows changing the password, but the PAM module cannot access the already entered auth token. > > - Why not allow pam_authenticate() to return PAM_NEWAUTHOTK_REQD? This > > can't be changed backwards compatibly now without also adding a new > > API by which an app may indicate to PAM which version of PAM it > > supports. > > I guess its not clear to me why the existing account management stuff > isn't good enough for this? Because you cannot access the already entered old token and the user has to type it twice? Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE Linux AG Deutschherrenstr. 15-19 D-90429 Nuernberg -------------------------------------------------------------------- Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
