Thorsten Kukuk wrote: > > In the grand scheme of things, PAM was supposed to remove the need for > > applications to know about passwords at all. Not allowing apps to > > get/set them from PAM was a design decision - all this info was supposed > > to be something that a module managed. > > Yes, but the problem is, that the functions to change the password > in a pam module can also not access the token from the authentication > function. This is a self-inflicted problem. If the module used a PAM_AUTHTOK of some sort to authenticate the user, then it (pam_sm_authenticate()) has the opportunity to cache this value with pam_set_data(). In this way, it's pam_sm_chauthtok() function can check for the existence of said data (pam_get_data()) when it is time for the user to select a new one. The problem then is that pam_unix doesn't support this. Hacking around this in the application is pretty ugly. Why not simply add this functionality to the pam_unix module? (And make it optional based on a module argument or something.) Cheers Andrew
