Re: understanding 'likeauth'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 11 Jan 2004, Brian Jones wrote:

> Hi all,
>
> I've been trying to find a good explanation for exactly what the
> 'likeauth' parameter to the pam_unix module actually does, when
> (precisely) it should be used, etc.
>
> I've found a couple of places through google searches where this is
> discussed, but I'm still not sure if I get it. My understanding is that
> if you have pam_unix listed as 'sufficient' and another module under it
> listed as 'required', then 'likeauth' needs to be used to ensure that
> the value returned by the 'sectcred()' function of the *second* module
> is the one returned to the application (assuming, of course, that the
> second module succeeds, of course).
>
> This is confusing, because I though that if any part of the module
> failed, the module returns a failed status, and things move to the next
> module. This explanation seems to imply that multiple values are
> returned from pam_unix, one for 'auth()', and one for 'setcred()', and
> the failure of one doesn't mean the module fails? Is the module called
> twice or something? What's the order of operations in the (quite common)
> scenario of having:
>
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        required      /lib/security/$ISA/pam_deny.so
>
> Why do I need 'likeauth' here? What happens if I remove it?
>
> Can anyone shed s'more light or give a better example of the
> consequences of using or not using likeauth?
>

Hi there!

If you check out the source code of pam_unix (pam_unix_auth.c), you will
find the answer.

When pam_unix is required for auth, pam calls 2 functions into it:
pam_sm_authenticate and pam_sm_setcred.

In my opinion, pam calls pam_sm_authenticate and pam_sm_setcred one after
another.

If you provide the 'likeauth' parameter, pam_sm_setcred returns the same value
as pam_sm_authenticate (this last one stores it), I think that is the reason
why the parameter is called 'likeauth': return the same value as pam_sm_authenticate.

I'm not sure about what is the real value returned to the pam library.
Does that mean that if pam_sm_authenticate fails and no 'likeauth' has
been specified, the returned value is 'success' because pam_sm_setcred
returns success?

--
              __
   _ __ __ _ / _| __ _
  | '__/ _` | |_ / _` |
  | | | (_| |  _| (_| |
  |_|   __ _|_|   __ _|

  Rafa Forcada Martínez
mailto:rforcada@xxxxxxxxxxx

   JOvenes INformáticos
  http://www.join-es.com


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux