Hi Thorsten, On Thu, Dec 11, 2003 at 09:18:49AM +0100, Thorsten Kukuk wrote: > The LSB wrote a test suite for PAM. After looking at the results, > I have some questions about the PAM specification, where I couldn't > find anything: > 1. The PAM specefication describes the PAM_MAXTRIES error code, but > not when it should be used. Does a module needs to return PAM_MAXTRIES > at some time? This seems to be entirely up to the module writer. PAM_MAXTRIES seems to be allowed, if a module's authentication retry limit is exceeded. It has always seemed under-specified to me, because of the potential interactions between per-module and per-application retry limits. > 2. If I call pam_authenticate with a unknown user, should the Module > return PAM_AUTHINFO_UNAVAIL or PAM_USER_UNKNOWN? > As far as I understand the documentation, PAM_AUTHINFO_UNAVAIL should > be returned if there are network or hardware problems, but not if the > user is unknown to the system. This agrees with my understanding: PAM_AUTHINFO_UNAVAIL means the module failed to verify the user, whereas PAM_USER_UNKNOWN means the user is known to not exist. > 3. Calling pam_chauthtok and the users enters the correct old > password, but aborts on typing the new one, should a PAM module > return PAM_AUTHTOK_RECOVER_ERR (I think this is wrong, since we > got the old token) or PAM_AUTHTOK_ERR? This sounds like PAM_AUTHTOK_ERR to me. Cheers, -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature
