On Tue, Apr 16, Andrew Morgan wrote: > Thorsten Kukuk wrote: > > > In the grand scheme of things, PAM was supposed to remove the need for > > > applications to know about passwords at all. Not allowing apps to > > > get/set them from PAM was a design decision - all this info was supposed > > > to be something that a module managed. > > > > Yes, but the problem is, that the functions to change the password > > in a pam module can also not access the token from the authentication > > function. > > This is a self-inflicted problem. > > If the module used a PAM_AUTHTOK of some sort to authenticate the user, > then it (pam_sm_authenticate()) has the opportunity to cache this value > with pam_set_data(). In this way, it's pam_sm_chauthtok() function can > check for the existence of said data (pam_get_data()) when it is time > for the user to select a new one. > > The problem then is that pam_unix doesn't support this. Hacking around > this in the application is pretty ugly. Why not simply add this > functionality to the pam_unix module? (And make it optional based on a > module argument or something.) I wish to add it to the pam module, not to the appciation. I only hate to store passwords with pam_set_data() for security reasons and the initial question was, if there is already something else. But it seems I have to implement something with pam_set_data for pam_unix2. Thorsten -- Thorsten Kukuk http://www.suse.de/~kukuk/ kukuk@suse.de SuSE Linux AG Deutschherrenstr. 15-19 D-90429 Nuernberg -------------------------------------------------------------------- Key fingerprint = A368 676B 5E1B 3E46 CFCE 2D97 F8FD 4E23 56C6 FB4B
