On Sun, Feb 02, 2003 at 09:18:31AM -0500, mike@flyn.org wrote: > > No, that's what I said, the pam_mount module is badly written and > > looking to the code, you will see that it mounts the volumes in the auth > > part. > > That's not what I learn reading through the pam documentation about the > > purpose of auth. > Yes. You are correct to say that pam_mount /should/ perform its operations > using PAM's session interface instead of auth. However, the PAM shipped by the > Debian project disallows one from quereying a user's password using the session > interface. Only the auth-related functions may retrieve a user's password. It does not allow a session module to ask PAM for the previously retrieved authentication credentials. I recall seeing discussion here of changing this behavior, but I'm not aware that this change has been approved. > This is why pam_mount using PAM's auth interface. > Red Hat's PAM distributions allows password access through its session > interface. Why doesn't Debian's? Red Hat's PAM library diverges a good deal from the upstream releases; the current Debian PAM library is based almost wholly on the 0.76 Linux-PAM release. If you want Debian to do something differently here, it should be fixed upstream first. Meanwhile, a possible workaround would be to restructure pam_mount into two parts: a session component and an (optional) auth component, the latter sitting at the end of the auth stack and grabbing the user's password for eventual use by the session piece. The session component could even check for PAM_AUTHTOK first, for greater portability between PAM implementations. -- Steve Langasek postmodern programmer
Attachment:
pgp00063.pgp
Description: PGP signature
